"User Token – JWT Client Facet" Profile
This Facet defines the ability to use JSON Web Tokens (JWT) as user identification during Session setup. JWTs are used to request an access token from an external Authorization Service.
This page lists the conformance units of the selected profile with their name and description.
Conformance units that are inherited via included Profiles are not listed by default. Use the following radio buttons to change this default behaviour.
Show only explicitly included conformance units
Show also conformance units from included profiles
Show all existing conformance units
Show relationship of Conformance Units with Units and Profiles for Clients / Servers
Security User JWT IssuedToken Client
A Client uses a JSON Web Token (JWT) for user identity. Part 6 describes OAuth2 and JWTs in more detail.
The token will be encrypted if required by the security policy of the User Token Policy or by the security policy of the endpoint. An unencrypted token either requires message encryption or means outside the scope of OPC UA to secure the identity token so that it cannot be retrieved by sniffing the communication. One option would be a secure transport like a VPN.
Security User JWT Token Policy Client
The Client understands and uses the Authorization Service definition inside the JWT UserTokenPolicy returned with GetEndpoints.
It shall support at least one of the following Authority Profile ConformanceUnits. The URIs defined in the ConformanceUnit are in the authorityProfileURI field of the JWT Token Policy exposed in Server Endpoints.
OAuth2 Authority Profile
This unit indicates support of OAuth2 over HTTPS to request access tokens.
The URI for the interactions with this authority is "http://opcfoundation.org/UA/Authorization#OAuth2"
OPC UA Authority Profile
This unit indicates support of the OPC UA Methods defined in UA Part 12 to request access tokens.
The URI for the interactions with this authority is "http://opcfoundation.org/UA/Authorization#OPCUA"
Azure Identity Provider Authority Profile
This unit indicates support of the Azure identity provider to request access tokens.
The URI for the interactions with this authority is "http://opcfoundation.org/UA/Authorization#Azure"