7.1.2 Basic Access Tokens

The basic access token and token issuing token authorization option is based upon one or more trusted core services of the runtime system. In OPC UA environments where device onboarding according to OPC 10000-21 is possible, the DCA can be used as such a privileged process to acquire a token issuing token (see ISO/IEC TS 30168). After the DCA, when being called during powerup, has been provided with the token issuing token, basic access tokens may be distributed to the applications managed by the DCA. The DCA is suitable for this task since:

The DCA has an overview on all OPC UA applications on the device.

The DCA can be used to manage all personality objects and assign appropriate access conditions while creating respectively administrating the respective personalities.

After the applications had been provided with basic access tokens, they can use them to become authorized for using or managing the personalities in question. Figure 26 shows corresponding GTA API calls during different boot stages.

image030.jpg

Figure 26 – Use of Basic Access Token

The following stages, as shown in Figure 26, are executed for the use of basic access tokens:

  • During the provisioning of Application Instance Personality Set(s), an access policy is set before creating personalities. When personalities are created, corresponding access policy handles are used with gta_personality_create().
  • During device boot stage 0, it is just assumed that the initial access condition is met.
  • During device boot stage 1, the DCA, as privileged application, issues a gta_access_token_get_issuing() call to acquire its token_issuing_token. Using the latter, it can call gta_access_token_get_basic() for specific personalities and access control usage. As a result, it is provided with corresponding basic access tokens.
  • The basic access tokens may then be distributed to applications known to the DCA and configured as authorized to use or manage certain personalities.
  • Applications need to provide the basic access tokens by using the gta_context_auth_set_access_token() call before respective calls that require authorization.