Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BadUserAccessDenied when the Identity token provided is not in the list of the server #2900

Open
1 of 5 tasks
KircMax opened this issue Dec 11, 2024 · 2 comments
Open
1 of 5 tasks

BadUserAccessDenied when the Identity token provided is not in the list of the server #2900

KircMax opened this issue Dec 11, 2024 · 2 comments
Labels
by design

Comments

@KircMax
Copy link
Contributor

KircMax commented Dec 11, 2024
edited
Loading

Type of issue

  • Bug
  • Enhancement
  • Compliance
  • Question
  • Help wanted

Current Behavior

We throw a ServiceResultException that contains the Message 'Endpoint does not support the user identity type provided.' along with the StatusCode 'BadUserAccessDenied'.
image

Expected Behavior

UAExpert e.g. return 'BadIdentityTokenInvalid'...
I would also rather expect 'BadIdentityTokenInvalid' since the provided identity token does not match to any of the ones provided by the server...
I'm not sure what the server would answer if the client did send the request.
image

image
image

Steps To Reproduce

  1. disable anonymous access on the server
  2. try to connect as anonymous with the client

Environment

- OS:
- Environment:
- Runtime:
- Nuget Version:
- Component:
- Server:
- Client:

Anything else?

No response
@romanett
Copy link
Contributor

@KircMax Is sthis specifically written in the spec, as to me it seems Bad_UserAccessDenied is also fitting here (and also Bad_IdentityTokenRejected), as the requested operation ActivateSession is not allowed with the token (which is not necesarily valid, but not for the requested operation). If this is not clear maybe we should open a mantis issue

@KircMax
Copy link
Contributor Author

KircMax commented Dec 11, 2024
edited
Loading

I didn't really find anything specific in the Spec...
I just found these but nowhere there it gets clear to me:
https://reference.opcfoundation.org/Core/Part4/v105/docs/7.14
image
https://reference.opcfoundation.org/Core/Part3/v105/docs/4.9.3
https://reference.opcfoundation.org/Core/Part4/v105/docs/7.41

But you are right, since Bad_UserAccessDenied is one possible Response in the AcitvateSession I wouldn't know when that would be sent to the client if not in cases like this one (maybe. if the user is configured in the system but does not have the right to access the server the response should anyways be Bad_Identitytokenrejected to not leak that information)...
https://reference.opcfoundation.org/Core/Part4/v104/docs/5.6.3
image

I just personally had the feeling that BadIdentityTokenInvalid was more fitting but that's just a personal preference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
by design
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@romanett @KircMax