6 Message SecurityProtocols ToC Previous Next

6.5 Issued User Identity Tokens ToC Previous Next

6.5.2 JSON Web Token (JWT) ToC Previous Next

JSON Web Token (JWT) UserIdentityTokens can be passed to the Server using the IssuedIdentityToken. The body of the token is a string that contains the JWT as defined in RFC 7159.

Servers that support JWT authentication shall provide a UserTokenPolicy which specifies the Authorization Service which provides the token and the parameters needed to access that service. The parameters are specified by a JSON object specified as the issuerEndpointUrl. The contents of this JSON object are described in Table 39. The general UserTokenPolicy settings for JWT are defined in Table 38.

Table 38 – JWT UserTokenPolicy

Name Description
tokenType ISSUEDTOKEN_3
issuedTokenType http://opcfoundation.org/UA/UserToken#JWT
issuerEndpointUrl For JWTs this is a JSON object with fields defined in Table 39.

Table 39 – JWT IssuerEndpointUrl Definition

Name Type Description
IssuerEndpointUrl JSON object Specifies the parameters for a JWT UserIdentityToken.
   ua:resourceId String The URI identifying the Server to the Authorization Service.
If not specified, the Server’s ApplicationUri is used.
   ua:authorityUrl
String The base URL for the Authorization Service.
This URL may be used to discover additional information about the authority.
This field is equivalent to the “issuer” defined in OpenID-Discovery.
   ua:authorityProfileUri String The profile that defines the interactions with the authority.
If not specified, the URI is “http://opcfoundation.org/UA/Authorization#OAuth2”.
   ua:tokenEndpoint String A path relative to the base URL used to request Access Tokens.
This field is equivalent to the “token_endpoint” defined in OpenID-Discovery.
   ua:authorizationEndpoint String A path relative to the base URL used to validate user credentials.
This field is equivalent to the “authorization_endpoint” defined in OpenID-Discovery.
   ua:requestTypes JSON array
String
The list of request types supported by the authority.
The possible values depend on the authorityProfileUri.
OPC 10000-7 specifies the default for each authority profile defined.
   ua:scopes JSON array
String
A list of Scopes that are understood by the Server.
If not specified, the Client may be able to access any Scope supported by the Authorization Service.
This field is equivalent to the “scopes_supported” defined in OpenID-Discovery.

Previous Next