Connectivity Software User's Guide and Reference
OPC Wizard User Authentication
OPC Wizard > Concepts > OPC Wizard Features > OPC Wizard Access Control > OPC Wizard User Authentication
In This Topic

Introduction 

OPC UA offers several ways of authenticating users, such as anonymous, username and password, or X.509 certificate. This corresponds to different user identity token types. The user authentication steps verifies that the user is who he/she claims to be. OPC Wizard offers user manager objects for common authentication methods, and you achieve the user authentication simply by configuring the user managers. You can also do custom handling by taking over the user authentication and prividing your own code to handle it.

User Identity Token Types

OPC UA recognizes 4 types of user identity tokens:

You, as a developer, decide which user identity token types will be made available by the server. This is done using the IEasyUAServer.UserIdentityTokenTypes Property.

By default, all supported user identity token types are enabled. The OPC UA server exposes the available user identity token types using OPC UA discovery mechanism, and OPC UA clients can view them. By default, all supported user identity token types are enabled. If your server does not offer specific token type, you should remove it from the UserIdentityTokenTypes Property, otherwise the information offered to OPC UA clients will be confusing. E.g. if you are developing a server that does not actually ever authenticate the users, you should only keep the Anonymous Field flag in this property. Conversely, if the server always requires username&password authentication, and no anonymous users whatsoever, keep only the UserName flag in this property. 

The following example shows how to implement an OPC UA server that does not use user authentication, and only allows anonymous access.

.NET

// This example shows how to allow only anonymous access to the OPC UA server.
// You can use any OPC UA client, including our Connectivity Explorer and OpcCmd utility, to connect to the server. 
//
// Find all latest examples here: https://www.doc-that.com/files/onlinedocs/OPCLabs-ConnectivityStudio/Latest/examples.html .
// OPC client, server and subscriber examples in C# on GitHub: https://github.com/OPCLabs/Examples-ConnectivityStudio-CSharp .
// Missing some example? Ask us for it on our Online Forums, https://forum.opclabs.com/forum/index ! You do not have to own
// a commercial license in order to use Online Forums, and we reply to every post.

using OpcLabs.EasyOpc.UA;
using OpcLabs.EasyOpc.UA.NodeSpace;
using System;
using OpcLabs.BaseLib.Security.User;

namespace UAServerDocExamples.AccessControl
{
    internal partial class UserIdentityTokens
    {
        public static void AnonymousOnly()
        {
            // Instantiate the server object.
            // By default, the server will run on endpoint URL "opc.tcp://localhost:48040/".
            var server = new EasyUAServer();

            // By default, the server allows all user identity token types. In this example, we will allow only anonymous
            // access. Use this setting if your server does not need support for identifying authenticating its users.
            server.UserIdentityTokenTypes = UserIdentityTokenTypes.Anonymous;

            // Define a data variable providing random integers.
            var random = new Random();
            server.Add(new UADataVariable("MyDataVariable").ReadValueFunction(() => random.Next()));

            // Start the server.
            Console.WriteLine("The server is starting...");
            server.Start();

            Console.WriteLine("The server is started.");
            Console.WriteLine();

            // Let the user decide when to stop.
            Console.WriteLine("Press Enter to stop the server...");
            Console.ReadLine();

            // Stop the server.
            Console.WriteLine("The server is stopping...");
            server.Stop();

            Console.WriteLine("The server is stopped.");
        }
    }
}

If a specific user identity token type is not made available by the OPC UA server, there is no corresponding endpoint configuration that the OPC UA client can use with this token type. It is therefore not necessary to add extra precautions in subsequent access control steps to deny access to users connecting to the server using a user identity token type that is not in the UserIdentityTokenTypes Property, because such connection simply cannot be made at all.

User Managers

If the OPC UA client is connecting to the OPC Wizard server using one of the user identity token types made available as described above, OPC Wizard then attempts to authenticate the user. This is done by user manager objects. There is one user manager object for every supported type of user identity token.

Your code can configure the user managers so that they provide the authentication you need. The user managers are accessible through the UserManagers Property on the EasyUAServer Class.

Anonymous User Manager 

The anonymous user manager is used when an anonymous user identity token is used by the OPC UA client to establish the connection. It is a simplistic user manager, as all anonymous users are treated the same. It is accessible through the Anonymous Property of the UserManagers Class.

By default, this property contains an instance of the MemoryAnonymousUserManager Class. For configurable properties of the anonymous user manager, see OPC Wizard User Authorization.

Username/Password User Manager

The username/password user manager is used when a username and password user identity token is used by the OPC UA client to establish the connection. The manager checks whether the username represents a known user, and whether a correct password has been specified by the OPC UA client for the user. It is accessible through the NameAndPassword Property of the UserManagers Class.

By the default, OPC Wizard uses an instance of the MemoryNameAndPasswordUserManager Class for the username/password user manager. This is an in-memory implementation of such user manager. You can create new users using the Create Method, and remove them using the Delete Method. Besides authentication, the user manager also handles authorization tasks - for details, see OPC Wizard User Authorization.

The following example shows how to implement an OPC UA server that only allows access authenticated with username and password.

.NET

// This example shows how to allow only authenticated access to the OPC server, with username & password. It also shows how
// to create a user and assign it an initial password.
// You can use any OPC UA client, including our Connectivity Explorer and OpcCmd utility, to connect to the server. 
//
// Find all latest examples here: https://www.doc-that.com/files/onlinedocs/OPCLabs-ConnectivityStudio/Latest/examples.html .
// OPC client, server and subscriber examples in C# on GitHub: https://github.com/OPCLabs/Examples-ConnectivityStudio-CSharp .
// Missing some example? Ask us for it on our Online Forums, https://forum.opclabs.com/forum/index ! You do not have to own
// a commercial license in order to use Online Forums, and we reply to every post.

using OpcLabs.EasyOpc.UA;
using OpcLabs.EasyOpc.UA.NodeSpace;
using System;
using OpcLabs.BaseLib.Security.User;
using OpcLabs.BaseLib.Security.User.Extensions;

namespace UAServerDocExamples.AccessControl
{
    internal partial class UserIdentityTokens
    {
        public static void UserNameOnly()
        {
            // Instantiate the server object.
            // By default, the server will run on endpoint URL "opc.tcp://localhost:48040/".
            var server = new EasyUAServer();

            // By default, the server allows all user identity token types. In this example, we will allow only username &
            // password user identity tokens.
            server.UserIdentityTokenTypes = UserIdentityTokenTypes.UserName;

            // Create a user with username "user1" and password "pass". Without specifying security role IDs, the user
            // session will be assigned implicit Anonymous, AuthenticatedUser and possibly TrustedApplication roles.
            server.UserManagers.NameAndPassword.Create("user1", "pass");

            // Define a data variable providing random integers.
            var random = new Random();
            server.Add(new UADataVariable("MyDataVariable").ReadValueFunction(() => random.Next()));

            // Start the server.
            Console.WriteLine("The server is starting...");
            server.Start();

            Console.WriteLine("The server is started.");
            Console.WriteLine();

            // Let the user decide when to stop.
            Console.WriteLine("Press Enter to stop the server...");
            Console.ReadLine();

            // Stop the server.
            Console.WriteLine("The server is stopping...");
            server.Stop();

            Console.WriteLine("The server is stopped.");
        }
    }
}

The contents of the MemoryNameAndPasswordUserManager Class (the users and all information associated with them) can be saved to file using the SaveToFile Method, or loaded from file using the LoadFromFile Method.

Only hashes of passwords are kept in memory and/or saved to a file. The MemoryNameAndPasswordUserManager Class does not persist the passwords themselves.

Custom User Authentication

The behavior provided by default anonymous and username/password user managers should be sufficient for most servers. In some scenarios, however, more customization of the authentication process is needed. For example, you might have a separate subsystem that already handles the authentication (and/or authorization), and although it might be possible to extract the authentication information from it and load it into the MemoryNameAndPasswordUserManager Class, such solution has several disadvantages.

In cases like this, you can customize the user authentication and provide your own code to do it. Two approaches can be used:

Custom User Managers

In order to replace the default username/password user manager, you can write a class that implements the IReadOnlyNameAndPasswordUserManager Interface. You then assign an instance of your class to the ReadOnlyNameAndPassword Property in the UserManagers Class. Note that it is not necessary to implement the "full" INameAndPasswordUserManager Interface (which includes method for modification of the user list and user properties) in order to develop a functioning OPC UA server.

User Verification Event

By handling the VerifyUser Event on the EasyUAServer Class, you can provide a fully custom logic to authenticate a user's identity token. The event is being passed an instance of VerifyUserEventArgs Class, where the user identity token is available as an input. Use the HandleAndReturn Method to indicate that your code has taken over the authentication and is returning a corresponding result. If your code does not indicate that it has handled the event, OPC Wizard will continue by attempting to authenticate the user by interrogating the user manager objects, as described above. 

 

See Also
OPC Wizard User Authorization
OPC Wizard Access Control
OPC Wizard Permission Authorization

 

 

Copyright © 2004-2026 CODE Consulting and Development, s.r.o., Plzen. All rights reserved. Web page: www.opclabs.com

Documentation Home, Send Feedback. Resources: Knowledge Base, Product Downloads. Technical support: Online Forums, FAQ.

Missing some example? Ask us for it on our Online Forums! You do not have to own a commercial license in order to use Online Forums, and we reply to every post.

Follow us on X (Twitter) | Follow us on LinkedIn