UA Part 4: Services - 7.40.6 IssuedIdentityToken

7.40.6 IssuedIdentityToken

The IssuedIdentityToken is used to pass SecurityTokens issued by an external Authorization Service to the Server. These tokens may be text or binary.

OAuth2 defines a standard for Authorization Services that produce JSON Web Tokens (JWT). These JWTs are passed as an Issued Token to an OPC UA Server which uses the signature contained in the JWT to validate the token. OPC 10000-6 describes OAuth2 and JWTs in more detail. If the token is encrypted, it shall use the EncryptedSecret format defined in 7.40.2.3.

This token shall be encrypted by the Client if required by the SecurityPolicy of the UserTokenPolicy. The Server should specify a SecurityPolicy for the UserTokenPolicy if the SecureChannel has a SecurityPolicy of None and no transport layer encryption is available. The SecurityPolicy of the SecureChannel is used If no SecurityPolicy is specified in the UserTokenPolic y.

If the SecurityPolicy is not None, the tokenData shall be encoded in UTF-8 (if it is not already binary), signed and encrypted according the rules specified for the tokenType of the associated UserTokenPolicy (see 7.41).

If the SecurityPolicy is None then the tokenData only contains the UTF-8 encoded tokenData. This configuration should not be used unless the network is encrypted in some other manner such as a VPN. The use of this configuration without network encryption would result in a serious security fault, in that it would cause the appearance of a secure user access, but it would make the token visible in clear text.

IssuedIdentityTokens have an expiration time, and a Server shall invalidate the credentials of the Session within a configurable time after the token expires. The Session shall stay valid with the Anonymous Role. If the Server does not allow anonymous users, it should close the Session. Clients should renew the token with ActivateSession before the expiration time to avoid communication interruption or other operation failures.

Table 191 defines the IssuedIdentityToken parameter.

Table 191 – IssuedIdentityToken

Name	Type	Description
IssuedIdentityToken	structure	The token provided by an Authorization Service.
policyId	String	An identifier for the UserTokenPolicy that the token conforms to. The UserTokenPolicy structure is defined in 7.41. Servers that provide a null or empty PolicyId shall accept null or empty and treat them as equal.
tokenData	ByteString	A representation of the token which may be encrypted. See Table 189 for details on determining when encryption is required and what algorithms to use. If no encryption is used, it is the raw token in binary or as UTF-8 encoded text. The format of the token depends on the associated UserTokenPolicy. The format used for the encrypted data is described in 7.40.2.2.
encryptionAlgorithm	String	The Client shall set this field to null or empty and Servers shall ignore any value specified.