"User Token – JWT Server Facet" Profile
This Facet defines support for JSON Web Tokens (JWT) to identify the user during Session setup. A JWT is the Access Token format which OPC UA requires when using OAuth2.
This page lists the conformance units of the selected profile with their name and description.
Conformance units that are inherited via included Profiles are not listed by default. Use the following radio buttons to change this default behaviour.
Show only explicitly included conformance units
Show also conformance units from included profiles
Show all existing conformance units
Show relationship of Conformance Units with Units and Profiles for Clients / Servers
Security User JWT IssuedToken
The Server supports a JSON Web Token (JWT) for user identity. Part 6 describes OAuth2 and JWTs in more detail. The use of this feature must be able to be enabled or disabled by an Administrator.
The token will be encrypted if required by the security policy of the User Token Policy or by the security policy of the endpoint. An unencrypted token either requires message encryption or means outside the scope of OPC UA to secure the identity token so that it cannot be retrieved by sniffing the communication. One option would be a secure transport like a VPN.
Security Invalid user token
Servers shall take proper measures to protect against attacks on user identity tokens. Such an attack is assumed if repeated connection attempts with invalid user identity tokens happen. See ActivateSession Service in UA Part 4.
Security User JWT Token Policy
The Server supports one or more Endpoints with a UserTokenPolicy that includes a JWT IssuerEndpointUrl as defined in UA Part 6.
For JWT the issuerEndpointUrl is a JSON object that includes all parameters that define the AuthorizationService.
As part of the JWT Token Policy, the Server shall support at least one of the following Authority Profile ConformanceUnits. The URIs defined in the ConformanceUnit shall be exposed in the authorityProfileURI field of the JWT Token Policy.
OAuth2 Authority Profile
This unit indicates support of OAuth2 over HTTPS to request access tokens.
The URI for the interactions with this authority is "http://opcfoundation.org/UA/Authorization#OAuth2"
OPC UA Authority Profile
This unit indicates support of the OPC UA Methods defined in UA Part 12 to request access tokens.
The URI for the interactions with this authority is "http://opcfoundation.org/UA/Authorization#OPCUA"
Azure Identity Provider Authority Profile
This unit indicates support of the Azure identity provider to request access tokens.
The URI for the interactions with this authority is "http://opcfoundation.org/UA/Authorization#Azure"