The IssuedIdentityToken is used to pass SecurityTokens issued by an external Authorization Service to the Server. These tokens may be text or binary.
OAuth2 defines a standard for Authorization Services that produce JSON Web Tokens (JWT). These JWTs are passed as an Issued Token to an OPC UA Server which uses the signature contained in the JWT to validate the token. OPC 10000-6 describes OAuth2 and JWTs in more detail. If the token is encrypted, it shall use the EncryptedSecret format defined in 18.104.22.168.
This token shall be encrypted by the Client if required by the SecurityPolicy of the UserTokenPolicy. The Server should specify a SecurityPolicy for the UserTokenPolicy if the SecureChannel has a SecurityPolicy of None and no transport layer encryption is available. The SecurityPolicy of the SecureChannel is used If no SecurityPolicy is specified in the UserTokenPolicy.
If the SecurityPolicy is not None, the tokenData shall be encoded in UTF-8 (if it is not already binary), signed and encrypted according the rules specified for the tokenType of the associated UserTokenPolicy (see 7.37).
If the SecurityPolicy is None then the tokenData only contains the UTF-8 encoded tokenData. This configuration should not be used unless the network is encrypted in some other manner such as a VPN. The use of this configuration without network encryption would result in a serious security fault, in that it would cause the appearance of a secure user access, but it would make the token visible in clear text.
Table 189 defines the IssuedIdentityToken parameter.
Table 189 – IssuedIdentityToken
|IssuedIdentityToken||structure||The token provided by an Authorization Service.|
|policyId||String||An identifier for the UserTokenPolicy that the token conforms to.
The UserTokenPolicy structure is defined in 7.37.
|tokenData||ByteString||The text or binary representation of the token.
The format of the data depends on the associated UserTokenPolicy.
|encryptionAlgorithm||String||The URI of the AsymmetricEncryptionAlgorithm.
The list of OPC UA-defined names that may be used is specified in OPC 10000-7.
See Table 187 for details on picking the correct URI.
This parameter is null if the tokenData is not encrypted or if the EncryptedSecret format is used.