Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
sp_Search Search
Advanced Search
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Search Search
Go to Bottom
No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
Support for IssuedToken in the server
August 26, 2021
23:26, EEST
Avatar
Xavier
Member
Members
Forum Posts: 43
Member Since:
March 26, 2014
sp_UserOfflineSmall Offline
Go to Top
1sp_Permalink sp_Print

Hi,

I would like to know if it is possible to accept IssuedToken on the server side (JWT for instance). I would validate the token myself, but at the moment does the server allows to accept them? It is not in UserTokenPolicies class.

On the client side it seems to be possible by using UserIdentity(byte[]).

Thanks,

August 30, 2021
15:23, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 983
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline
Go to Top
2sp_Permalink sp_Print

Hi,

It is (as far as I know) a pretty-much-not-used feature of OPC UA.

Anyway, for the server side, you can just make an UserTokenPolicy and add that.

UserTokenPolicy issuedTokenPolicy = new UserTokenPolicy();
issuedTokenPolicy.setTokenType(UserTokenType.IssuedToken);
issuedTokenPolicy.setIssuedTokenType("IssuedTokenTypeHere");
issuedTokenPolicy.setIssuerEndpointUrl("IssuerEndpointUrlHere");
issuedTokenPolicy.setPolicyId("issued_token_invent_something");
issuedTokenPolicy.setSecurityPolicyUri(SecurityPolicy.BASIC256SHA256.getPolicyUri()); //something here as well, but must be a known security policy uri
server.addUserTokenPolicy(issuedTokenPolicy);

For the client side, it would seem we have a bug. The policy id is not set in the token thus we send null (so in practice the server will treat it as an Anonymous usertoken type). This is now fixed in our latest beta and will be part of 4.6.0.

P.S.
Some new stuff in OPC UA 1.04 does refer to JWTs.
https://reference.opcfoundation.org/v104/Core/docs/Part4/7.36.2/#7.36.2.3
https://reference.opcfoundation.org/v104/Core/docs/Part4/7.36.6/
https://reference.opcfoundation.org/v104/Core/docs/Part7/6.6.172/

Though it should be noted that we have not worked on those yet.

August 30, 2021
23:31, EEST
Avatar
Xavier
Member
Members
Forum Posts: 43
Member Since:
March 26, 2014
sp_UserOfflineSmall Offline
Go to Top
3sp_Permalink sp_Print

Thank you, I will test with 4.6.0!

September 13, 2021
23:54, EEST
Avatar
Xavier
Member
Members
Forum Posts: 43
Member Since:
March 26, 2014
sp_UserOfflineSmall Offline
Go to Top
4sp_EditHistory sp_Permalink sp_Print

Hi,

I tested with the 4.6.0 release and I’m able to send a byte array as IssuedToken with your sample code 🙂

My issue is that it seems the content is limited to 245 bytes whereas my JWT token are clearly bigger than that (> 650 bytes). Is there a way to change the RSA algorithm for something that supports bigger content or is it simply not possible to use big tokens? (I already tried to use the token as password for Username/Password but there is exactly the same limitation). I also tried to replace “BASIC256SHA256” by NONE or other policies without success.

Error when trying to connect with the token:
Caused by: com.prosysopc.ua.stack.common.ServiceResultException: Bad_SecurityPolicyRejected (code=0x80550000, description="javax.crypto.IllegalBlockSizeException:Data must not be longer than 245 bytes")
at com.prosysopc.ua.stack.utils.EndpointUtil.createIssuedIdentityToken(SourceFile:160)

Thanks 🙂

September 14, 2021
14:00, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 983
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline
Go to Top
5sp_Permalink sp_Print

The answer is (once again) complicated. The short version is that basically we do not yet support JWT(s) or anything that would require EncryptedSecret; The question is that how much you need this and when?

That password limit is a bug, though to other direction, the limit should actually be 64bytes, due to https://reference.opcfoundation.org/v104/Core/docs/Part4/7.36.2/:

“The legacy token secret format defined in 7.36.2.2 is not extensible and provides only encryption but the encrypted data is not signed. It is used together with the USERNAME_1 UserIdentityToken. The password secret exchanged with this format shall not exceed 64 bytes.”

1.04 defined new “7.36.2.3 EncryptedSecret Format” and also sort of re-wrote the issued token and there is some “native” support for JWT’s, https://reference.opcfoundation.org/Core/docs/Part4/7.36.6/. That would seem to need the EncryptedSecret Format:
“The IssuedIdentityToken is used to pass SecurityTokens issued by an external Authorization Service to the Server. These tokens may be text or binary.

OAuth2 defines a standard for Authorization Services that produce JSON Web Tokens (JWT). These JWTs are passed as an Issued Token to an OPC UA Server which uses the signature contained in the JWT to validate the token. OPC 10000-6 describes OAuth2 and JWTs in more detail. If the token is encrypted, it shall use the EncryptedSecret format defined in 7.36.2.3.”

previously (pre-1.04) it was
“The IssuedIdentityToken is used to pass W S-Security compliant SecurityTokens to the Server. WS-Security defines a number of token profiles that may be used to represent different types of
SecurityTokens. For example, Kerberos and SAML tokens have W SS token profiles and shall be
exchanged in OPC UA as XML Security Tokens.


The 1.04 part 6 link: https://reference.opcfoundation.org/Core/docs/Part6/6.5.2/, that tells what the issuedTokenType and issuerEndpointUrl should contain if it is a JWT.

The encryption algorithm parameter in the token is The URI of the AsymmetricEncryptionAlgorithm. This goes a bit outside of what I usually do, thus this part might be incorrect. I think the limiting factor is the cert size, and basically there is no way around that: https://stackoverflow.com/questions/10007147/getting-a-illegalblocksizeexception-data-must-not-be-longer-than-256-bytes-when .

The EncryptedSecret would use symmetric encryption algorithm so size would not be a problem. And I think this symmetric key would then be encrypted with the asymmetric algo using the public key as in the “legacy token”.

Technically the limits on the token size as it is now is: 1k cert: 117bytes, 2k cert: 245bytes, 4k cert: 501bytes, anything larger would need the EncryptedSecret support (plus not sure is this only for JWTs yet).

September 14, 2021
18:12, EEST
Avatar
Xavier
Member
Members
Forum Posts: 43
Member Since:
March 26, 2014
sp_UserOfflineSmall Offline
Go to Top
6sp_Permalink sp_Print

Thank you for the details, I will try to see how I can find a workaround at the moment.

No permission to create posts
sp_Feed All RSS
Go to top
Forum Timezone: Europe/Helsinki

Most Users Ever Online: 518

Currently Online:
14 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

hbrackel: 135

pramanj: 86

Francesco Zambon: 81

rocket science: 77

Ibrahim: 76

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

TimK: 41

Member Stats:

Guest Posters: 0

Members: 681

Moderators: 16

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1467

Posts: 6261

Newest Members:

graciela2073, sagarchau, elviralangwell4, Donnavek, Eddiefauth, DonaldPooma, fidelduke938316, Jan-Pfizer, DavidROunc, fen.pang@woodside.com

Moderators: Jouni Aro: 1010, Otso Palonen: 32, Tuomas Hiltunen: 5, Pyry: 1, Petri: 0, Bjarne Boström: 983, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Jimmy Ni: 26, Teppo Uimonen: 21, Markus Johansson: 42, Niklas Nurminen: 0, Matti Siponen: 321, Lusetti: 0, Ari-Pekka Soikkeli: 5

Administrators: admin: 1