0010236: Clarifications for JWT Issued User Identity Tokens - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0010236	10000-018: Role-Based Security	Spec	public	2025-03-14 21:35	2025-06-05 18:54

Reporter	Matthias Damm	Assigned To	Matthias Damm
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	1.05.04
Target Version	1.05.06 RC1	Fixed in Version	1.05.06 RC1

Summary	0010236: Clarifications for JWT Issued User Identity Tokens
Description	At the moment the criteriaTypes Role and GroupId are created from the "roles" or "groups" claims in the JWT. But they are only unique inside one token provider identified by the "iss" claim. If more than one token provider is used in a system, the "iss" is required. Propose the following addition: If the issuedTokenType of the Access Token is “http://opcfoundation.org/UA/UserToken#JWT”, the criteria shall be dependend on the existence of the “iss” (issuer) field of the JWT IssuedIdentityToken. If it is present, the criteria shall be the concatenation of the value of the “iss” field of the JWT IssuedIdentityToken, a ‘/’ (slash) as separator and the name of of the restriction, which is found in the Access Token. If it not present, it is only the restriction, which is found in the Access Token.
Additional Information	The document with the comments and proposed changes can be found in Meetings > 2025 > 2025-03-11 F2F Foxboro > JWT_IssuedToken_Issues OPC 10000-18 - UA Specification Part 18 - Role-Based Security 1.05.04_JWT_Issues.docx https://opcfoundation.sharepoint.com/:w:/r/sites/wg.UA/Shared%20Documents/sg.Core/Meetings/2025/2025-03-11%20F2F%20Foxboro/JWT_IssuedToken_Issues/OPC%2010000-18%20-%20UA%20Specification%20Part%2018%20-%20Role-Based%20Security%201.05.04_JWT_Issues.docx?d=w4810408ca7304eaf85934fc863eeaf3b&csf=1&web=1&e=gwN2z3
Tags	No tags attached.

Commit Version	1.05.06 RC1
Fix Due Date	2025-05-01

Matthias Damm 2025-06-05 17:57 developer ~0022974	CriteriaType Role: Added If the issuedTokenType of the Access Token is “http://opcfoundation.org/UA/UserToken#JWT”, the criteria shall be dependend on the existence of the “iss” (issuer) field of the JWT IssuedIdentityToken. If it is present, the criteria shall be the concatenation of the value of the “iss” field of the JWT IssuedIdentityToken, a ‘/’ (slash) as separator and the name of one of the entries in the roles field, which is found in the Access Token. If it not present, it is only the role, which is found in the Access Token. CriteriaType GroupId: Added If the issuedTokenType of the Access Token is “http://opcfoundation.org/UA/UserToken#JWT”, the criteria shall be dependend on the existence of the “iss” (issuer) field of the JWT IssuedIdentityToken. If it is present, the criteria shall be the concatenation of the value of the “iss” field of the JWT IssuedIdentityToken, a ‘/’ (slash) as separator and the name of one of the entries in the groups field, which is found in the Access Token. If it not present, it is only the groups, which is found in the Access Token.

Jim Luth 2025-06-05 18:54 administrator ~0022979	Agreed to changes edited in Virtual F2F.

Date Modified	Username	Field	Change
2025-03-14 21:35	Matthias Damm	New Issue
2025-03-14 21:35	Matthias Damm	Status	new => assigned
2025-03-14 21:35	Matthias Damm	Assigned To	=> Matthias Damm
2025-03-14 21:35	Matthias Damm	Relationship added	related to 0010235
2025-03-14 21:36	Matthias Damm	Relationship added	related to 0010234
2025-03-15 15:56	Jim Luth	Fix Due Date	=> 2025-05-01
2025-03-15 15:57	Jim Luth	Commit Version	=> 1.05.06 RC1
2025-06-05 17:57	Matthias Damm	Status	assigned => resolved
2025-06-05 17:57	Matthias Damm	Resolution	open => fixed
2025-06-05 17:57	Matthias Damm	Fixed in Version	=> 1.05.06 RC1
2025-06-05 17:57	Matthias Damm	Note Added: 0022974
2025-06-05 18:54	Jim Luth	Status	resolved => closed
2025-06-05 18:54	Jim Luth	Note Added: 0022979