View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
001023610000-018: Role-Based SecuritySpecpublic2025-03-14 21:352025-03-15 15:57
ReporterMatthias Damm Assigned ToMatthias Damm  
PrioritynormalSeverityminorReproducibilityhave not tried
Status assignedResolutionopen 
Product Version1.05.04 
Target Version1.05.06 RC1 
Summary0010236: Clarifications for JWT Issued User Identity Tokens
Description

At the moment the criteriaTypes Role and GroupId are created from the "roles" or "groups" claims in the JWT. But they are only unique inside one token provider identified by the "iss" claim. If more than one token provider is used in a system, the "iss" is required.

Propose the following addition:
If the issuedTokenType of the Access Token is “http://opcfoundation.org/UA/UserToken#JWT”, the criteria shall be dependend on the existence of the “iss” (issuer) field of the JWT IssuedIdentityToken. If it is present, the criteria shall be the concatenation of the value of the “iss” field of the JWT IssuedIdentityToken, a ‘/’ (slash) as separator and the name of of the restriction, which is found in the Access Token. If it not present, it is only the restriction, which is found in the Access Token.

Additional Information

The document with the comments and proposed changes can be found in

Meetings > 2025 > 2025-03-11 F2F Foxboro > JWT_IssuedToken_Issues
OPC 10000-18 - UA Specification Part 18 - Role-Based Security 1.05.04_JWT_Issues.docx

https://opcfoundation.sharepoint.com/:w:/r/sites/wg.UA/Shared%20Documents/sg.Core/Meetings/2025/2025-03-11%20F2F%20Foxboro/JWT_IssuedToken_Issues/OPC%2010000-18%20-%20UA%20Specification%20Part%2018%20-%20Role-Based%20Security%201.05.04_JWT_Issues.docx?d=w4810408ca7304eaf85934fc863eeaf3b&csf=1&web=1&e=gwN2z3

TagsNo tags attached.
Commit Version1.05.06 RC1
Fix Due Date2025-05-01

Relationships

related to 0010235 assignedRandy Armstrong 10000-006: Mappings Clarifications for JWT Issued User Identity Tokens 
related to 0010234 assignedJeff Harding 10000-005: Information Model ClientUserId creation rules for JWT tokens 

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2025-03-14 21:35 Matthias Damm New Issue
2025-03-14 21:35 Matthias Damm Status new => assigned
2025-03-14 21:35 Matthias Damm Assigned To => Matthias Damm
2025-03-14 21:35 Matthias Damm Relationship added related to 0010235
2025-03-14 21:36 Matthias Damm Relationship added related to 0010234
2025-03-15 15:56 Jim Luth Fix Due Date => 2025-05-01
2025-03-15 15:57 Jim Luth Commit Version => 1.05.06 RC1