Search

43 result(s) for AuthorizationService

• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  3.1.14 AuthorizationService
  AuthorizationService Server which validates a request to access a Resource returns an AccessToken that grants access to the Resource Note 1 to entry: The AuthorizationService is also called STS (Security
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  3.1.28 Identity Provider
  Security Principal and returns a token which can be passed to an associated Authorization Service
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.1 OPC UA security environment
  Figure 1 . OPC UA also defines global services such as Certificate management, KeyCredential management, AuthorizationService , and GlobalDiscoveryServer (GDS) to help manage security and other global functionality. Figure
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.5.2.5 Session-less Service invocation
  also be established by the use of an AccessToken which is obtained from an AuthorizationService (see OPC 10000-6 for details). Session-less communication is restricted to encrypted communication channels
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.1.12 Compromising user credentials
  credentials sent over the network by encryption as described in 5.2.5 . When using an AuthorizationService for identity verification then securing the user identity is out of scope ... user credentials, such as password guessing or social engineering. The risk from a compromised AuthorizationService can be minimized by restricting Server access in additional manners, such as from specific applications
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.2.3 User Authentication
  services User Authentication can be accomplished using an AccessToken which is obtained from an AuthorizationService (see OPC 10000-6 for details). This does require that an encrypted communication channel
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  8.1 Overview
  plant or entire system. In addition, This Server can include CertificateManager , KeyCredentialService and AuthorizationService (defined in OPC 10000-12 ). There are multiple methods of accessing a GDS: Servers can register
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.2.1 Overview
  concert with an external identity provider which validates the user credentials before the external Authorization Service creates an Access Token that tells the Server what the user is a allowed ... shown in 6.2.3 . Even when the Server requires the Client to use an external Authorization Service the Server is still responsible for managing and enforcing the Permissions assigned to Nodes
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.2.2 Indirect handshake with an Identity Provider
  IssuedIdentityToken defined in 7.40.6 . The protocol to request tokens depends on the Authorization Service (AS). Common protocols include OAuth2 and OPC UA. OAuth2 supports claims based authorization as described
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.2.3 Direct handshake with an Identity Provider
  this model the user identities are still managed by a central Authorization Service . The interactions are shown in Figure 25 . Figure 25 - Direct handshake with an Identity Provider The UserTokenPolicy ... returned from the Server provides the URL of the Authorization Service and the identity provider. If the Application Authorization Service is linked with the GDS, it knows of all Servers
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.3.1 Description
  less Services are invoked via a SecureChannel using the Access Token returned from the Authorization Service as the authenticationToken in the requestHeader. The SecureChannel shall have encryption enabled to prevent
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.40.1 Overview
  Overview The UserIdentityToken structure used in the Server Service Set allows Clients to specify the identity of the user they are acting on behalf of. The exact mechanism used ... X.509 v3 Certificate . IssuedIdentityToken A user identified by a token issued by an external Authorization Service
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.40.6 IssuedIdentityToken
  IssuedIdentityToken The IssuedIdentityToken is used to pass SecurityToken s issued by an external Authorization Service to the Server . These tokens may be text or binary. OAuth2 defines a standard ... parameter. Table 191 - IssuedIdentityToken Name Type Description IssuedIdentityToken structure The token provided by an Authorization Service . policyId String An identifier for the UserTokenPolicy that the token conforms to. The UserTokenPolicy
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.41 UserTokenPolicy
  specified if TokenType is ISSUEDTOKEN . issuerEndpointUrl String An optional string which depends on the Authorization Service . The meaning of this value depends on the issuedTokenType. Further details for the different
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.42 UserTokenType
  CERTIFICATE 2 An X.509 v3 Certificate token. ISSUEDTOKEN 3 Any token issued by an Authorization Service
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.5.2.2 User Token Policy
  Token Policy Servers that support JWT authentication shall provide a UserTokenPolicy which specifies the Authorization Service which provides the token and the parameters used to access that service. The parameters ... UserIdentityToken. ua:resourceId String Yes The URI identifying the Server to the Authorization Service. The default value is the Server's ApplicationUri . ua:authorityUrl String Yes The base
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.5.2.3 Access Tokens
  which accept the Access Token must have access to the Certificate used by the Authorization Service . All Access Tokens shall have a signature created by the token issuer. Access Tokens ... call ActivateSession before the old Access Token expires. The JWT format allows the Authorization Service to insert any number of fields. The mandatory fields are defined in IETF
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.5.3.1 General
  provides a web-based mechanism to request claims-based Access Tokens from an Authorization Service (AS) that is supported by many major companies providing cloud infrastructure. These Access Tokens
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.5.3.2 Authorization Code
  Provider validates the Identity Provider returns an authorization code which is passed to the Authorization Service. The Authorization Service validates the code and returns an Access Token to the Client ... requestType of "authorization_code" in the UserTokenPolicy (see 6.5.2 ) means the Authorization Service supports the authorization code flow
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.5.3.3 Refresh Token
  Identity Provider . This flow is initiated when the Client sends the refresh token to Authorization Service which validates it and returns an Access Token. A Client that saves the refresh ... defined since support for refresh token is determined by checking the response to an authorization code request
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.5.3.4 Client Credentials
  prompt a human user for input. This flow requires a secret know to the Authorization Service which the Client application can protect. This flow is initiated when the Client sends ... client_secret to Authorization Service which validates it and returns an Access Token. The complete flow is described in IETF RFC 6749 , Clause 4.4. A requestType of "client_credentials
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.4.2 Session-less Services
  Bearer token (see IETF RFC 6750 ) with an AccessToken provided by an AuthorizationService . The HTTP Accept-Language header is used to specify the locales to use for the request
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  3.1.8 GlobalDiscoveryServer (GDS)
  also be a KeyCredentialService . Note 3 to entry: a GDS may also be a AuthorizationService
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  3.1.9 GlobalService
  system. Note 1 to entry: a GlobalDiscoveryServer , a CertificateManager , a KeyCredentialService and an AuthorizationService are all examples of GlobalServices
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  3.1.11 KeyCredential
  KeyCredential a unique identifier and a secret used to access an AuthorizationService or a Broker . Note 1 to entry: a user name and password is an example of a KeyCredential
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  3.1.12 KeyCredentialService
  KeyCredentialService a software application that provides KeyCredentials needed to access an AuthorizationService or a Broker
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.25 UserTokenSettingsDataType
  IssuedIdentityToken (i.e. JWT). IssuerEndpointUrl 0:String An optional string which depends on the Authorization Service . The meaning of this value depends on the IssuedTokenType . Further details for the different Token
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  8.1 Overview
  Certificate distribution is managed by the Certificate management model described in 7 . For example, AuthorizationService s that support OAuth2 often require the client to provide a client_id and client
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.1 Overview
  that may use them to access resources. A Server, such as a GDS , with AuthorizationService Capabilities may support one or more AuthorizationService Objects (see 9.6.4 ) which may represent an internal ... AuthorizationService or be an API to an external AuthorizationService . The AuthorizationService is best used in conjunction with the Role model defined in OPC 10000-5 . In this scenario, the mapping
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.2 Roles and Privileges
  using mechanisms other than the well-known Roles . The well-known Roles for an AuthorizationService are listed in Table 142 . Table 142 - Well-known Roles for an AuthorizationService Name Description ... AuthorizationServiceAdmin This Role grants the right to manage the configuration of an AuthorizationService . SecurityAdmin This Role grants the right to change the security configuration of an AuthorizationService . The Privileges
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.3 Implicit
  Authorization Server". IssuerEndpointUrl ua:tokenEndpoint The NodeId of the AuthorizationService Object encoded using the URI qualified syntax defined in OPC 10000-6 . IssuerEndpointUrl ua:authorizationEndpoint The NodeId ... creating a Session . The Client then calls the StartRequestToken and FinishRequestToken Methods on the AuthorizationService Object . The "Authorization Server" determines if the Client is permitted to receive
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.4 Explicit
  Table 144 ). With this use case, the Client reads the UserTokenPolicies Property of the AuthorizationService by reading the value of the UserTokenPolicies Property . The NodeId of UserTokenPolicies Property is provided ... Table 144 ). The Client then calls the StartRequestToken and FinishRequestToken Methods on the AuthorizationService Object . The "Authorization Server" determines if the Client is permitted to receive an AccessToken
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.4 AuthorizationServiceType
  AuthorizationServiceType This ObjectType is the TypeDefinition for an Object that allows access to an AuthorizationService . It is defined in Table 147 . Table 147 - AuthorizationServiceType Definition Attribute Value BrowseName 2:AuthorizationServiceType ... used by the target Server when verifying AccessTokens . It is the responsibility of the AuthorizationService to verify that the ServiceCertificate is not revoked or otherwise invalid before returning any AccessToken
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.5 RequestAccessToken (Deprecated)
  UserName IdentityTokens . Use StartRequestToken instead. RequestAccessToken is used to request an AccessToken from an AuthorizationService . The scenarios where this Method is used are described fully
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.6 StartRequestToken
  AccessToken. The PolicyId provided shall identify one of the UserTokenPolicies for the AuthorizationService Object . The contents of the RequestorData and ServiceData depend on the UserTokenType and the SecurityPolicy. Table ... value generated by the requestor. A cryptographically random value generated by the service. The AuthorizationService cleans up unused requestIds . Client should call FinishRequestToken immediately after this Method returns. The RequestId
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.7 FinishRequestToken
  FinishRequestToken Method is used to complete a request for an AccessToken from an AuthorizationService . It is called after calling StartRequestToken defined in 9.6.6 . The RequestedRoles are used to restrict ... permissions that are granted to the AccessToken . If RequestedRoles are not provided the AuthorizationService includes all Roles available to the UserIdentityToken provided in the call. The SupportedRoles Property provides
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.8 RefreshToken
  RefreshToken The RefreshToken Method is used to request an AccessToken from an AuthorizationService using a cached RefreshToken. The CurrentRefreshToken shall only be accepted if the ClientCertificate used to create ... usually the ApplicationUri for a Server . CurrentRefreshToken The RefreshToken previously returned by the AuthorizationService. AccessToken The AccessToken granted to the application. AccessTokenExpiryTime When the AccessToken expires. If the ExpiryTime
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.9 GetServiceDescription
  GetServiceDescription Method is used to read the metadata needed to request AccessTokens from the AuthorizationService . Signature GetServiceDescription ( [out] String ServiceUri [out] ByteString ServiceCertificate [out] UserTokenPolicy[] UserTokenPolicies ); Argument Description ServiceUri ... globally unique identifier for the AuthorizationService . ServiceCertificate The complete chain of Certificates used to to validate the AccessTokens provided by the AuthorizationService. UserTokenPolicies The UserIdentityTokens accepted by the AuthorizationService. Method
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.7.4 AuthorizationServiceConfigurationType
  This ObjectType is the TypeDefinition for an Object that allows the configuration of an AuthorizationService used by a Server . It is defined in Table 158 . Table 158 - AuthorizationServiceConfigurationType Definition Attribute ... PropertyType Mandatory Conformance Units Authorization Service Configuration Server The ServiceUri Property uniquely identifies the AuthorizationService . The ServiceCertificate Property has the Certificate(s) used to verify AccessTokens issued by the AuthorizationService
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.7.5 AuthorizationServiceConfigurationDataType
  AuthorizationServiceConfigurationDataType This type is used to serialize the AuthorizationService configuration . It is defined in Table 159 . This type is used as part of the ApplicationConfigurationDataType defined in 7.10.19 which allows ... Structure Name Type Description AuthorizationServiceConfigurationDataType Structure ServiceUri 0:UriString A URI uniquely identifies the AuthorizationService . ServiceCertificates 0:ServiceCertificateDataType[] A list of Certificates used by the AuthorizationService to verify AccessTokens . Certificate
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  5.4.5.3 Key acquisition handshakes
  Service calls. These calls typically use an Access Token that is retrieved from an Authorization Service . Both concepts are defined in OPC 10000-4 . Figure 12 - Handshake used to push
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  5.4.5.4 Authorization Services and Security Key Service
  Services and Security Key Service Access to the SKS can be managed by an Authorization Service as shown in Figure 13 . Figure 13 - Handshake with a Security Key Service
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.3 IdentityMappingRuleType
  criteria is a generic text identifier for a user group specific to the Authorization Service. For example, an Authorization Service providing access to an Active Directory