9.4 Explicit

The explicit authorization use case describes how a Client authenticates itself with a UserIdentityToken provided in the FinishRequestToken Method call. User credentials for Session with the Authorization Server are not required. This use case is illustrated in Figure 31.

Figure 31 – Explicit Authorization

The "Target Server" is the Server that the Client wishes to access. It publishes a UserTokenPolicy that indicates that it accepts AccessTokens from an "Authorization Server". The parameters needed to connect to the "Authorization Server" are stored in the UserTokenPolicy (see Table 144).

With this use case, the Client reads the UserTokenPolicies Property of the AuthorizationService by reading the value of the UserTokenPolicies Property. The NodeId of UserTokenPolicies Property is provided in the UserTokenPolicy provided by the Target Server (see Table 144).

The Client then calls the StartRequestToken and FinishRequestToken Methods on the AuthorizationService Object. The "Authorization Server" determines if the Client is permitted to receive an AccessToken and populates it with any claims granted to the Client. The StartRequestToken and FinishRequestToken Methods can be invoked via Session-less Method calls.