9.6.4 AuthorizationServiceType
This ObjectType is the TypeDefinition for an Object that allows access to an AuthorizationService. It is defined in Table 147.
| Attribute | Value | ||||
| BrowseName | 2:AuthorizationServiceType | ||||
| IsAbstract | False | ||||
| References | NodeClass | BrowseName | DataType | TypeDefinition | Modelling Rule |
|---|---|---|---|---|---|
| Subtype of the BaseObjectType defined in OPC 10000-5. | |||||
| 0:HasProperty | Variable | 2:ServiceUri | 0:String | 0:PropertyType | Mandatory |
| 0:HasProperty | Variable | 2:ServiceCertificate | 0:ByteString | 0:PropertyType | Mandatory |
| 0:HasProperty | Variable | 2:UserTokenPolicies | 0:UserTokenPolicy [] | 0:PropertyType | Optional |
| 0:HasProperty | Variable | 2:SupportedRoles | 0:String[] | 0:PropertyType | Optional |
| 0:HasComponent | Method | 2:RequestAccessToken | Defined in 9.6.5. | Optional | |
| 0:HasComponent | Method | 2:StartRequestToken | Defined in 9.6.6. | Optional | |
| 0:HasComponent | Method | 2:FinishRequestToken | Defined in 9.6.7. | Optional | |
| 0:HasComponent | Method | 2:RefreshToken | Defined in 9.6.8. | Optional | |
| 0:HasComponent | Method | 2:GetServiceDescription | Defined in 9.6.9. | Mandatory | |
| 0:GeneratesEvent | ObjectType | 2:AccessTokenRequestedAuditEventType | Defined in 9.6.10. | ||
| 0:GeneratesEvent | ObjectType | 2:AccessTokenIssuedAuditEventType | Defined in 9.6.11. | ||
| Conformance Units | |||||
|---|---|---|---|---|---|
| GDS Authorization Service Server |
The ServiceUri Property contains a globally unique identifier that allows a Client to correlate an instance of AuthorizationServiceType with instances of AuthorizationServiceConfigurationType (see 9.7.4).
The ServiceCertificate Property contains the Certificate required to check any Signature that is included with the AccessTokens. The ServiceCertificate may be a complete chain (see OPC 10000-6 for information on encoding chains). CRLs are not used by the target Server when verifying AccessTokens. It is the responsibility of the AuthorizationService to verify that the ServiceCertificate is not revoked or otherwise invalid before returning any AccessToken to Clients. When a CertificateManager pushes the configuration to a target Server, the CertificateManager is responsible for verifying the ServiceCertificate and automatically updating the target Server if the ServiceCertificate is revoked.
The UserTokenPolicies Property specifies the UserIdentityTokens which are accepted by the RequestAccessToken or FinishRequestToken Methods.
The SupportedRoles Property specifies the system-wide Roles which may be included in an AccessToken. Each target Server uses mapping rules (see OPC 10000-18) to specify the relationship between the system-wide Roles and Roles known to the target Server.
The GetServiceDescription Method is used to read the metadata used to request AccessTokens.
The RequestAccessToken Method is used to request an AccessToken from the AuthorizationService.
The StartRequestToken Method initiates a request for an AccessToken from the AuthorizationService.
The FinishRequestToken Method completes a request for an AccessToken from the AuthorizationService.
The RefreshToken Method is used to request an updated AccessToken.