9.6.6 StartRequestToken
The StartRequestToken Method is used to initiate a new request for an AccessToken.
The PolicyId provided shall identify one of the UserTokenPolicies for the AuthorizationService Object.
The contents of the RequestorData and ServiceData depend on the UserTokenType and the SecurityPolicy. Table 149 specifies the contents for different combinations of UserTokenType and SecurityPolicy.
| UserTokenType | RequestorData | ServiceData |
|---|---|---|
UserName or IssuedToken SecurityPolicy: None | Not Used | Not Used |
UserName or IssuedToken SecurityPolicy: RSA | Not Used | A Certificate containing the PublicKey used to build the RsaEncryptedSecret defined in OPC 10000-4. |
UserName or IssuedToken SecurityPolicy: ECC or RSA_DH. | Not Used | An EphemeralKey used to build the EccEncryptedSecret defined in OPC 10000-4. |
| Certificate | A cryptographically random value generated by the requestor. | A cryptographically random value generated by the service. |
The AuthorizationService cleans up unused requestIds. Client should call FinishRequestToken immediately after this Method returns. The RequestId is only accessible via the current Session and resources are freed when the Session is closed.
This Method shall be called from an encrypted SecureChannel and from a Client that has access to the AccessTokenRequestor Privilege (see 9.2).
Signature
StartRequestToken(
[in] String ResourceId
[in] String PolicyId
[in] ByteString RequestorData
[out] ByteString ServiceData
[out] Guid RequestId
);| Argument | Description |
| ResourceId | The identifier for the Resource that the AccessToken is used to access. This is usually the ApplicationUri for a Server. Shall be the ResourceId specified in the UserTokenPolicy. This is usually the Server ApplicationUri. |
| PolicyId | The PolicyId from an element in the UserTokenPolicies array. |
| RequestorData | A value with contents described in Table 149. |
| ServiceData | A value with contents described in Table 149. |
| RequestId | A unique value for the request that is passed to FinishRequestToken. |
Method Result Codes (defined in Call Service)
| Result Code | Description |
| Bad_NotFound | The ResourceId is not known to the Server. |
| Bad_IdentityTokenInvalid | The PolicyId does not match one of the allowed UserTokenPolicies. |
| Bad_NonceInvalid | The RequestorData is not valid for the specified UserTokenPolicy. |
| Bad_UserAccessDenied | The current user does not have the rights required. |
| Bad_SecurityModeInsufficient | The SecureChannel is not encrypted. |
Table 150 specifies the AddressSpace representation for the StartRequestToken Method.
| Attribute | Value | ||||
| BrowseName | 2:StartRequestToken | ||||
| References | NodeClass | BrowseName | DataType | TypeDefinition | ModellingRule |
|---|---|---|---|---|---|
| 0:HasProperty | Variable | 0:InputArguments | 0:Argument[] | 0:PropertyType | Mandatory |
| 0:HasProperty | Variable | 0:OutputArguments | 0:Argument[] | 0:PropertyType | Mandatory |