This article describes how you can provide the user identity that your OPC UA client application will use to connect to the OPC UA server. Whether or not this user authentication is needed depends on how the OPC UA server is set up. Depending on whether or not you are providing the user identity, and depending on which concrete user you specify, the OPC UA server may allow you to perform different set of operations, or it may reject the connection altogether.
In your application based on OPC Studio, you specify the user inside the EasyUAClient object parameters (see User Identity in QuickOPC-UA), or as part of the OPC UA endpoint descriptor (UAEndpointDescriptor Class). The main part of the endpoint descriptor is the endpoint URL, but there are other parts that can be specified as well, and one of them is the UserIdentity Property. This property contains a user identity object, which is an instance of the UserIdentity Class.
The user identity object acts as a collection of token infos. The token info specifies the user to be authenticated using a particular approach, such as anonymous, user name, Kerberos (issued), or X.509 certificate. Each token info can be either configured, or not. Token infos that are not configured are ignored for user authentication. When OPC Data Client connects to the OPC UA server, it matches the configured token infos with the token types supported by the server endpoint, and finds the best match. If no match is found, no user token is passed to the server, which usually results in an error.
Most often, you will configure one user token in the user identity. If you configure multiple user tokens in the user identity, they should logically correspond to the same user - just specified in different ways. This way, the proper user token can be chosen when connecting to different servers or endpoints - but there will no ambiguity as to which user is actually connecting.
Manipulating this object in the endpoint descriptor that you use to connect to the OPC UA server gives you a way to specify the user identity. It can be done by setting the various properties and sub-properties. Alternatively, in .NET languages, OPC Data Client gives you extension methods (on the UAEndpointDescriptor Class) that allow you to create an endpoint descriptor with a chosen token info type using a single method call. These extension methods are called WithXXXXIdentity, where XXXX is the type of the token info to be used.
Anonymous token in the user identity is represented by the AnonymousTokenInfo Class object in the UserIdentity.AnonymousTokenInfo Property, and is configured by default. You can control whether or not it is configured by manipulating the UserIdentity.AnonymousTokenInfo.IsEnabled Property.
With many servers, it does not make any difference whether an anonymous token is specified or not, and if there is no user token, the behavior is the same as if the anonymous token was specified.
In Windows environments, this token type allows you to use the network credentials for OPC UA user authentication. Either a custom network credential, or the current user's identity can be used. The custom network credential specifies the user name, password, and domain.
Kerberos (issued) token in the user identity is represented by the KerberosTokenInfo Class object in the UserIdentity.KerberosTokenInfo Property. The actual user that you want to authenticate is specified by the NetworkSecurity object in the UserIdentity.KerberosTokenInfo.NetworkSecurity Property.
In .NET languages, instead of manipulating the object properties, you can take an OPC UA endpoint descriptor, and create a new endpoint descriptor from it, with user identity provided by the Kerberos (issued) token. To do so, use the WithKerberosIdentity Method.
The user name token uses a user name (string) and an optional password (a string) to identify and authenticate the user. The user name token is represented by the UserNameTokenInfo Class object in the UserIdentity.UserNameTokenInfo Property. The user name is contained in the UserName Property and the password in the Password Property of the UserNameTokenInfo Class. The user name token info is considered configured when the user name or the password is not empty.
In .NET languages, instead of manipulating the object properties, you can take an OPC UA endpoint descriptor, and create a new endpoint descriptor from it, with user identity provided by the user name token. To do so, use the WithUserNameIdentity Method.
The X.509 certificate token authenticates the user by its user certificate (challenge-response process is used underneath). This token is represented by the X509CertificateTokenInfo Class object in the UserIdentity.X509CertificateTokenInfo Property.
In order to specify the user certificate that will be used, you fill in a certificate query, contained in the CertificateQuery Property of the X509CertificateTokenInfo object. The certificate query specify where the certificate comes from, and which certificate should be selected. The source of the certificate is given by the source type (SourceType Property), and depending on its value, further properties in the certificate query object need to be filled in.
The X.509 certificate token info is considered configured when the source type is not None.
In .NET languages, instead of manipulating the object properties, you can take an OPC UA endpoint descriptor, and create a new endpoint descriptor from it, with user identity provided by the X.509 certificate token. To do so, use the WithX509CertificateIdentity Method.
OPC UA has a feature that allows the clients to change the identity of the user on an existing connection (OPC UA session), without having to close the session and re-open it. OPC Data Client supports this feature as well. For more information, see Dynamic User Identity Change.
Note that this feature is only available if the OPC UA server supports it.