9.6.7 FinishRequestToken
The FinishRequestToken Method is used to complete a request for an AccessToken from an AuthorizationService. It is called after calling StartRequestToken defined in 9.6.6.
The RequestedRoles are used to restrict the permissions that are granted to the AccessToken. If RequestedRoles are not provided the AuthorizationService includes all Roles available to the UserIdentityToken provided in the call. The SupportedRoles Property provides all Roles supported by the AuthorizationService.
The UserIdentityToken contains the credentials that the AccessToken will represent.
The UserTokenSignature is computed using the channel bound signatures defined in OPC 10000-4 where the ServiceData replaces the ServerNonce and the RequestorData replaces the ClientNonce.
This Method shall be called from an encrypted SecureChannel and from a Client that has access to the AccessTokenRequestor Privilege (see 9.2).
Signature
FinishRequestToken (
[in] Guid RequestId
[in] String[] RequestedRoles
[in] UserIdentityToken UserIdentityToken
[in] SignatureData UserTokenSignature
[out] String AccessToken
[out] DateTime AccessTokenExpiryTime
[out] String RefreshToken
[out] DateTime RefreshTokenExpiryTime
);| Argument | Description |
| RequestId | The identifier returned by StartRequestToken. |
| RequestedRoles | The list of Roles from the SupportedRoles Property that the requestor wants access to. If none are specified then all available Roles are granted. |
| UserIdentityToken | The identity used to authorize the AccessToken request. |
| UserTokenSignature | The Signature used to prove possession of a Certificate provided with an X509IdentityToken AccessToken. Otherwise, the parameter is null. |
| AccessToken | The AccessToken granted to the application. |
| AccessTokenExpiryTime | When the AccessToken expires. If the ExpiryTime is not known the AuthorizationServer shall provide a suitable non-null value. |
| RefreshToken | A token that can be cached and used to request a new AccessToken. |
| RefreshTokenExpiryTime | When the RefreshToken expires. If the ExpiryTime is not known the AuthorizationServer shall provide a suitable non-null value. |
Method Result Codes (defined in Call Service)
| Result Code | Description |
| Bad_NotFound | The RequestId is invalid or has expired. |
| Bad_IdentityTokenInvalid | The IdentityToken does not match one of the allowed UserTokenPolicies. |
| Bad_IdentityTokenRejected | The IdentityToken was rejected. |
| Bad_UserAccessDenied | The current user does not have the rights required. |
| Bad_SecurityModeInsufficient | The SecureChannel is not encrypted. |
Table 148 specifies the AddressSpace representation for the FinishRequestToken Method.
| Attribute | Value | ||||
| BrowseName | 2:FinishRequestToken | ||||
| References | NodeClass | BrowseName | DataType | TypeDefinition | ModellingRule |
|---|---|---|---|---|---|
| 0:HasProperty | Variable | 0:InputArguments | 0:Argument[] | 0:PropertyType | Mandatory |
| 0:HasProperty | Variable | 0:OutputArguments | 0:Argument[] | 0:PropertyType | Mandatory |