Search

27 result(s) for AccessToken

• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  3.1.2 AccessToken
  AccessToken digitally signed document that asserts that the subject is entitled to access a Resource Note 1 to entry: The document includes the name of the subject and the Resource
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  3.1.14 AuthorizationService
  AuthorizationService Server which validates a request to access a Resource returns an AccessToken that grants access to the Resource Note 1 to entry: The AuthorizationService is also called STS (Security
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  3.1.18 Claim
  Claim statement in an AccessToken that asserts information about the subject which the Authorization Service knows to be true Note 1 to entry: Claims can include username, email, and Roles
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.5.2.5 Session-less Service invocation
  User Authentication and/or Application Authentication can also be established by the use of an AccessToken which is obtained from an AuthorizationService (see OPC 10000-6 for details). Session-less communication
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.2.3 User Authentication
  subsequent ActivateSession call. For session-less services User Authentication can be accomplished using an AccessToken which is obtained from an AuthorizationService (see OPC 10000-6 for details). This does require
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.2.1 Overview
  identity provider which validates the user credentials before the external Authorization Service creates an Access Token that tells the Server what the user is a allowed to do. The Client
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.2.3 Direct handshake with an Identity Provider
  system. It validates the credentials provided by the Client and returns an Identity Access Token which identifies the user. The Identity Access Token is passed to the Application Authorization Service ... which validates the Client and Server applications and creates a new Access Token that can be used to access the Server
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.3.1 Description
  SessionlessInvoke Service . Session -less Services are invoked via a SecureChannel using the Access Token returned from the Authorization Service as the authenticationToken in the requestHeader. The SecureChannel shall have encryption ... enabled to prevent eavesdroppers from seeing the Access Token . The Access Token provides the user authentication. If application authentication through the SecureChannel is sufficient, Servers may not require the Access
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.5.2.3 Access Tokens
  supports signatures using asymmetric cryptography which implies that Servers which accept the Access Token must have access to the Certificate used by the Authorization Service . All Access Tokens shall have ... expire and all Servers should revoke any privileges granted to the Session when the Access Token expires. If the Server allows for anonymous users, the Server could allow the Session
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.5.3.2 Authorization Code
  passed to the Authorization Service. The Authorization Service validates the code and returns an Access Token to the Client. The complete flow is described in IETF
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.4.2 Session-less Services
  token with a UserName/Password or a Bearer token (see IETF RFC 6750 ) with an AccessToken provided by an AuthorizationService . The HTTP Accept-Language header is used to specify the locales
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.1 Overview
  rules assigned to the Roles known to the Server are used to populate an AccessToken with the Roles associated with the UserIdentity provided when the Client submits the request. This
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.2 Roles and Privileges
  AuthorizationService are listed in Table 143 . Table 143 - Privileges for an AuthorizationService Name Description AccessToken Requestor This Privilege grants an OPC UA Application the right to request AccessTokens . The Certificate
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.3 Implicit
  Certificate and any UserIdentityToken associated with the Session is used to determine whether an AccessToken is permitted and what claims are available. This use case is illustrated in Figure ... Authorization Server" determines if the Client is permitted to receive an AccessToken and populates it with any claims granted to the Client . The AccessToken includes a list of network
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.4 Explicit
  Authorization Server" determines if the Client is permitted to receive an AccessToken and populates it with any claims granted to the Client . The StartRequestToken and FinishRequestToken Methods
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.5 Chained
  case, where the UserIdentityToken provided to the "Authorization Server" is an AccessToken issued by an "Identity Provider". This is useful in systems where the IT infrastructure
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.4 AuthorizationServiceType
  verify that the ServiceCertificate is not revoked or otherwise invalid before returning any AccessToken to Clients . When a CertificateManager pushes the configuration to a target Server , the CertificateManager is responsible ... SupportedRoles Property specifies the system-wide Roles which may be included in an AccessToken . Each target Server uses mapping rules (see OPC 10000-18 ) to specify the relationship between
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.5 RequestAccessToken (Deprecated)
  used with unencrypted UserName IdentityTokens . Use StartRequestToken instead. RequestAccessToken is used to request an AccessToken from an AuthorizationService . The scenarios where this Method is used are described fully ... AccessTokenRequestor Privilege (see 9.2 ) . Signature RequestAccessToken ( [in] UserIdentityToken IdentityToken [in] String ResourceId [out] String AccessToken ); Argument Description IdentityToken The identity used to authorize the AccessToken request. ResourceId The identifier
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.6 StartRequestToken
  StartRequestToken The StartRequestToken Method is used to initiate a new request for an AccessToken. The PolicyId provided shall identify one of the UserTokenPolicies for the AuthorizationService Object . The contents ... ServiceData [out] Guid RequestId ); Argument Description ResourceId The identifier for the Resource that the AccessToken is used to access. This is usually the ApplicationUri for a Server . Shall
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.7 FinishRequestToken
  FinishRequestToken The FinishRequestToken Method is used to complete a request for an AccessToken from an AuthorizationService . It is called after calling StartRequestToken defined in 9.6.6 . The RequestedRoles are used ... restrict the permissions that are granted to the AccessToken . If RequestedRoles are not provided the AuthorizationService includes all Roles available to the UserIdentityToken provided in the call. The SupportedRoles Property
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.8 RefreshToken
  RefreshToken The RefreshToken Method is used to request an AccessToken from an AuthorizationService using a cached RefreshToken. The CurrentRefreshToken shall only be accepted if the ClientCertificate used to create ... AccessTokenRequestor Privilege (see 9.2 ) . Signature RefreshToken ( [in] String ResourceId [in] String CurrentRefreshToken [out] String AccessToken [out] DateTime AccessTokenExpiryTime [out] String NewRefreshToken [out] DateTime NewRefreshTokenExpiryTime ); Argument Description ResourceId The identifier
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.10 AccessTokenRequestedAuditEventType
  AccessTokenRequestedAuditEventType This event is raised when a AccessToken is requested as a result of a FinishRequestToken Method being called. This Event and its subtypes are security related and Servers shall
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.11 AccessTokenIssuedAuditEventType
  AccessTokenIssuedAuditEventType This event is raised when a AccessToken is issued. This is the result of a RequestAccessToken Method completing. This Event and its subtypes are security related and Servers shall ... AccessTokenIssuedAuditEventType Definition References NodeClass BrowseName DataType TypeDefinition Modelling Rule Attribute Value BrowseName 2: AccessToken IssuedAuditEventType IsAbstract True Subtype of the 0:AuditUpdateMethodEventType defined in OPC 10000-5 . Conformance Units
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  5.4.5.3 Key acquisition handshakes
  GetSecurityKeys Method may use SessionlessInvoke Service calls. These calls typically use an Access Token that is retrieved from an Authorization Service . Both concepts are defined in OPC 10000-4 . Figure
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  5.4.5.4 Authorization Services and Security Key Service
  Service The SKS is a Server that exposes a Method called GetSecurityKeys . The Access Token is used to determine if the calling application is allowed to access the keys ... identified by the GetSecurityKeys Method arguments. Publishers and Subscribers can request keys if the Access Token they provide is mapped to Roles that have been granted Permission to Browse
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.3 IdentityMappingRuleType
  criteriaType is Role , the criteria is a name of a restriction found in the Access Token . For example, the Role "subscriber" may only be allowed to access PubSub ... related Nodes . If the issuedTokenType of the Access Token is " http://opcfoundation.org/UA/UserToken#JWT" , the criteria contains one of the entries in the roles array of the JWT IssuedIdentityToken
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.4 IdentityCriteriaType
  user Certificate . Role 3 The rule is a Role specified in an Access Token . GroupId 4 The rule is a user group specified in the Access Token. Anonymous