Search

Scope: Core (OPC-10000-*) All specs

29 result(s) for UserIdentityToken

OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model

12.3.15 UserIdentityToken

UserIdentityToken The representation in the AddressSpace of the UserIdentityToken DataType is defined in Table 224 . Table 224 - UserIdentityToken definition Attributes Value BrowseName UserIdentityToken IsAbstract TRUE References NodeClass BrowseName DataType TypeDefinition
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

6.17 Least privilege principle

function. In OPC UA a Client can request additional privileges by changing the UserIdentityToken (see Activate Session in OPC 10000-4 ). This could even be done for a short period
OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model

4.9.1 Overview

AuthenticatedUser Role is always assigned when a Session has been authenticated with a UserIdentityToken other than the AnonymousIdentityToken (see OPC 10000-4 ). The TrustedApplication Role is always assigned when
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

5.7.2.2 Parameters

ActivateSession request. This value may also be used to prove possession of the userIdentityToken it specified in the ActivateSession request. serverCertificate ApplicationInstance Certificate The ApplicationInstanceCertificate issued to the Server
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

5.7.3.1 Description

original SecureChannel . In addition, the Server shall verify that the Client supplied a UserIdentityToken that contains the same ClientUserId as the token currently associated with the Session . Lastly, the Server ... SecureChannel it shall reject requests sent via the old SecureChannel . If an Anonymous UserIdentityToken is used, then ActivateSession over a new SecureChannel shall fail if the SecureChannel is using Sign
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

5.7.3.2 Parameters

null or empty the Server shall keep using the current localeIds for the Session . userIdentityToken Extensible Parameter UserIdentityToken The credentials of the user associated with the Client application. The Server ... Session and what resources the Client has access to during this Session . The UserIdentityToken is an extensible parameter type defined in 7.40 . The EndpointDescription specifies what UserIdentityTokens the Server shall
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.40.1 Overview

Overview The UserIdentityToken structure used in the Server Service Set allows Clients to specify the identity of the user they are acting on behalf of. The exact mechanism used ... user identity tokens. The ExtensibleParameter type is defined in 7.17 . Table 181 - UserIdentityToken parameterTypeIds Symbolic Id Description AnonymousIdentityToken No user information is available. UserNameIdentityToken A user identified by user name
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.40.2.1 Overview

Overview The Client shall always prove possession of a UserIdentityToken when it passes it to the Server . Some tokens include a secret such as a password which the Server will ... secret associated with the Token . In these cases, the Client proves possession of a UserIdentityToken by creating a signature with the secret and passing it to the Server . Each UserIdentityToken
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.40.2.3 EncryptedSecret Format

This is the last serverNonce returned in the CreateSession or ActivateSession Response when a UserIdentityToken is passed with the ActivateSession Request . If used outside of an ActivateSession call, the Nonce
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.40.2.4 RsaEncryptedSecret DataType

last ServerNonce returned in the CreateSession or ActivateSession Response when proving a UserIdentityToken passed in the ActivateSession Request . In other contexts, this is a Nonce created by the sender with
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.40.2.5 EccEncryptedSecret DataType

receiver. This is true if the structure is used to provide a UserIdentityToken to a Server over a SecureChannel and the SigningCertificate is the Client ApplicationInstance Certificate . SigningTime DateTime ... last ServerNonce returned in the CreateSession or ActivateSession Response when proving a UserIdentityToken passed in the ActivateSession Request . In other contexts, this is a Nonce created by the sender with
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.41 UserTokenPolicy

defined in Table 192 . Table 192 - UserTokenPolicy Name Type Description UserTokenPolicy structure Specifies a UserIdentityToken that a Server will accept . policyId String An identifier for the UserTokenPolicy assigned ... UserTokenPolicies assigned by the Server . The Client specifies this value when it constructs a UserIdentityToken that conforms to the policy. This value is only unique within the context
OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model

3.1.1 ClientUserId

action Note 1 to entry: The ClientUserId is obtained directly or indirectly from the UserIdentityToken passed by the Client in the ActivateSession Service call or from the authenticationToken
OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model

6.4.3 AuditEventType

user of the client requesting an action. The ClientUserId can be obtained from the UserIdentityToken passed in the ActivateSession call. If the UserIdentityToken is a UserNameIdentityToken then the ClientUserId shall ... UserName. If the UserIdentityToken is an X509IdentityToken then the ClientUserId shall be the X509 Subject Name of the Certificate . If the UserIdentityToken is an IssuedIdentityToken then the ClientUserId shall
OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model

6.4.10 AuditActivateSessionEventType

inherits the InstanceDeclarations of that Node. HasProperty Variable ClientSoftwareCertificates SignedSoftwareCertificate[] PropertyType Mandatory HasProperty Variable UserIdentityToken UserIdentityToken PropertyType Mandatory HasProperty Variable SecureChannelId String PropertyType Mandatory HasProperty Variable CurrentRoleIds NodeId[] PropertyType Optional ... that triggers the Event . ClientSoftwareCertificates is the clientSoftwareCertificates parameter of the ActivateSession Service call. UserIdentityToken reflects the userIdentityToken parameter of the ActivateSession Service call. For Username/Password tokens the password shall
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.2.1 General

OpenSecureChannel are defined in OPC 10000-21 . Certificates are also used as form of UserIdentityToken which identifies a user associated with a Session . Clause 6.2.3 describes Certificates used as UserIdentityTokens
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.5.3.1 General

infrastructure. These Access Tokens are passed to a Server by a Client in a UserIdentityToken as described in OPC 10000-4 . The OpenID Connect specification (see OpenID ) builds
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.8.2 UserIdentityToken Encryption

UserIdentityToken Encryption ActivateSession allows a Client to provide an encrypted UserIdentityToken using a SecurityPolicy specified by a UserTokenPolicy supported by the current Endpoint . With ECC, encryption requires that the Client ... SecurityPolicy the Client specifies the ECDHPolicyUri it plans to use for the UserIdentityToken in the RequestHeader . The Server returns an EphemeralKey in the ResponseHeader that can be used
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.7.2 Update Certificates Workflow

Role or equivalent. Possible credentials used to authenticate the CertificateManager are: CertificateManager ApplicationInstance Certificate ; UserIdentityToken provided in ActivateSession . Update TrustList Workflow The steps involved in updating the Certificate are described
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.10.25 UserTokenSettingsDataType

UserTokenSettingsDataType Structure Name Type Description UserTokenSettingsDataType Structure TokenType 0:UserTokenType The type of UserIdentityToken IssuedTokenType 0:String A URI identifying the type of IssuedIdentityToken (i.e. JWT). IssuerEndpointUrl 0:String ... SecurityPolicyUri 0:String The SecurityPolicy to use when encrypting or signing the UserIdentityToken when it is passed to the Server in the ActivateSession request. For X509 UserIdentityTokens this value shall
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

9.1 Overview

from an AuthorizationService Object there are three primary use cases based on where the UserIdentityToken comes from: Implicit, Explicit and Chained. These use cases are discussed below. The Implicit
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

9.2 Roles and Privileges

identity of the OPC UA Application. A KeyCredential (see 8 ) provided as a UserIdentityToken may also be used to determine if the Client has access to this Privilege
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

9.3 Implicit

implicit authorization use case describes how the Client's ApplicationInstance Certificate and any UserIdentityToken associated with the Session is used to determine whether an AccessToken is permitted and what claims
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

9.4 Explicit

Explicit The explicit authorization use case describes how a Client authenticates itself with a UserIdentityToken provided in the FinishRequestToken Method call. User credentials for Session with the Authorization Server
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

9.5 Chained

authorization use case is a variation on the explicit authorization use case, where the UserIdentityToken provided to the "Authorization Server" is an AccessToken issued by an "Identity
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

9.6.5 RequestAccessToken (Deprecated)

IdentityToken is not provided the Server should use the ApplicationInstanceCertificate and/or the UserIdentityToken provided for the Session (or the request if using a Session -less Method Call ) to determine privileges ... SecurityPolicyUri , then the IdentityToken is encrypted and digitally signed using the format defined for UserIdentityToken secrets in OPC 10000-4 . This Method shall be called from an encrypted SecureChannel
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

9.6.7 FinishRequestToken

AccessToken . If RequestedRoles are not provided the AuthorizationService includes all Roles available to the UserIdentityToken provided in the call. The SupportedRoles Property provides all Roles supported by the AuthorizationService ... UserIdentityToken contains the credentials that the AccessToken will represent. The UserTokenSignature is computed using the channel bound signatures defined in OPC 10000-4 where the ServiceData replaces the ServerNonce
OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security

4.4.1 RoleType definition

evaluated and applied. The Identities Property specifies the currently configured rules for mapping a UserIdentityToken to the Role . If no user identity is configured for the Role, the Identities Property ... granted to the Session if all of the following conditions are true: The UserIdentityToken complies with Identities. The Applications Property is not configured or the Client Certificate complies with
OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security

4.4.3 IdentityMappingRuleType

IdentityMappingRuleType The IdentityMappingRuleType structure defines a single rule for selecting a UserIdentityToken . The structure is described in Table 9 . Table 9 - IdentityMappingRuleType Name Type Description IdentityMappingRuleType Structure Specifies a rule ... used to map a UserIdentityToken to a Role . criteriaType Enumeration IdentityCriteriaType The type of criteria contained in the identity mapping rule. The IdentityCriteriaType is defined in 4.4.4 . criteria String