Add authentication and role-based write access control

Implements configurable user authentication (anonymous + username/password)
with pluggable credential provider (IUserAuthenticationProvider). Anonymous
writes can be disabled via AnonymousCanWrite setting while reads remain
open. Adds -U/-P flags to all CLI commands for authenticated sessions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

tools/opcuacli-dotnet/Commands/AlarmsCommand.cs

@@ -15,6 +15,12 @@ public class AlarmsCommand : ICommand
     [CommandOption("url", 'u', Description = "OPC UA server endpoint URL", IsRequired = true)]
     public string Url { get; init; } = default!;
 
+    [CommandOption("username", 'U', Description = "Username for authentication")]
+    public string? Username { get; init; }
+
+    [CommandOption("password", 'P', Description = "Password for authentication")]
+    public string? Password { get; init; }
+
     /// <summary>
     /// Gets the node to subscribe to for event notifications, typically a source object or the server node.
     /// </summary>
@@ -39,7 +45,7 @@ public class AlarmsCommand : ICommand
     /// <param name="console">The CLI console used for cancellation and alarm-event output.</param>
     public async ValueTask ExecuteAsync(IConsole console)
     {
-        using var session = await OpcUaHelper.ConnectAsync(Url);
+        using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password);
 
         var nodeId = string.IsNullOrEmpty(NodeId)
             ? ObjectIds.Server

tools/opcuacli-dotnet/Commands/BrowseCommand.cs

@@ -15,6 +15,12 @@ public class BrowseCommand : ICommand
     [CommandOption("url", 'u', Description = "OPC UA server endpoint URL", IsRequired = true)]
     public string Url { get; init; } = default!;
 
+    [CommandOption("username", 'U', Description = "Username for authentication")]
+    public string? Username { get; init; }
+
+    [CommandOption("password", 'P', Description = "Password for authentication")]
+    public string? Password { get; init; }
+
     /// <summary>
     /// Gets the optional node identifier to browse from; defaults to the OPC UA Objects folder.
     /// </summary>
@@ -39,7 +45,7 @@ public class BrowseCommand : ICommand
     /// <param name="console">The console used to emit browse output.</param>
     public async ValueTask ExecuteAsync(IConsole console)
     {
-        using var session = await OpcUaHelper.ConnectAsync(Url);
+        using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password);
 
         var startNode = string.IsNullOrEmpty(NodeId)
             ? ObjectIds.ObjectsFolder

tools/opcuacli-dotnet/Commands/ConnectCommand.cs

@@ -13,13 +13,19 @@ public class ConnectCommand : ICommand
     [CommandOption("url", 'u', Description = "OPC UA server endpoint URL", IsRequired = true)]
     public string Url { get; init; } = default!;
 
+    [CommandOption("username", 'U', Description = "Username for authentication")]
+    public string? Username { get; init; }
+
+    [CommandOption("password", 'P', Description = "Password for authentication")]
+    public string? Password { get; init; }
+
     /// <summary>
     /// Connects to the OPC UA endpoint and prints the resolved server metadata.
     /// </summary>
     /// <param name="console">The console used to report connection results.</param>
     public async ValueTask ExecuteAsync(IConsole console)
     {
-        using var session = await OpcUaHelper.ConnectAsync(Url);
+        using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password);
         await console.Output.WriteLineAsync($"Connected to: {session.Endpoint.EndpointUrl}");
         await console.Output.WriteLineAsync($"Server: {session.Endpoint.Server!.ApplicationName}");
         await console.Output.WriteLineAsync($"Security Mode: {session.Endpoint.SecurityMode}");

tools/opcuacli-dotnet/Commands/HistoryReadCommand.cs

@@ -15,6 +15,12 @@ public class HistoryReadCommand : ICommand
     [CommandOption("url", 'u', Description = "OPC UA server endpoint URL", IsRequired = true)]
     public string Url { get; init; } = default!;
 
+    [CommandOption("username", 'U', Description = "Username for authentication")]
+    public string? Username { get; init; }
+
+    [CommandOption("password", 'P', Description = "Password for authentication")]
+    public string? Password { get; init; }
+
     /// <summary>
     /// Gets the node identifier for the historized variable to query.
     /// </summary>
@@ -57,7 +63,7 @@ public class HistoryReadCommand : ICommand
     /// <param name="console">The CLI console used for output, errors, and cancellation handling.</param>
     public async ValueTask ExecuteAsync(IConsole console)
     {
-        using var session = await OpcUaHelper.ConnectAsync(Url);
+        using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password);
 
         var nodeId = new NodeId(NodeId);
         var start = string.IsNullOrEmpty(StartTime) ? DateTime.UtcNow.AddHours(-24) : DateTime.Parse(StartTime).ToUniversalTime();

tools/opcuacli-dotnet/Commands/ReadCommand.cs

@@ -15,6 +15,12 @@ public class ReadCommand : ICommand
     [CommandOption("url", 'u', Description = "OPC UA server endpoint URL", IsRequired = true)]
     public string Url { get; init; } = default!;
 
+    [CommandOption("username", 'U', Description = "Username for authentication")]
+    public string? Username { get; init; }
+
+    [CommandOption("password", 'P', Description = "Password for authentication")]
+    public string? Password { get; init; }
+
     /// <summary>
     /// Gets the node identifier whose value should be read.
     /// </summary>
@@ -27,7 +33,7 @@ public class ReadCommand : ICommand
     /// <param name="console">The console used to report the read result.</param>
     public async ValueTask ExecuteAsync(IConsole console)
     {
-        using var session = await OpcUaHelper.ConnectAsync(Url);
+        using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password);
 
         var node = new NodeId(NodeId);
         var value = await session.ReadValueAsync(node);

tools/opcuacli-dotnet/Commands/SubscribeCommand.cs

@@ -15,6 +15,12 @@ public class SubscribeCommand : ICommand
     [CommandOption("url", 'u', Description = "OPC UA server endpoint URL", IsRequired = true)]
     public string Url { get; init; } = default!;
 
+    [CommandOption("username", 'U', Description = "Username for authentication")]
+    public string? Username { get; init; }
+
+    [CommandOption("password", 'P', Description = "Password for authentication")]
+    public string? Password { get; init; }
+
     /// <summary>
     /// Gets the node identifier to monitor for value changes.
     /// </summary>
@@ -33,7 +39,7 @@ public class SubscribeCommand : ICommand
     /// <param name="console">The console used to display subscription updates.</param>
     public async ValueTask ExecuteAsync(IConsole console)
     {
-        using var session = await OpcUaHelper.ConnectAsync(Url);
+        using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password);
 
         var subscription = new Subscription(session.DefaultSubscription)
         {

tools/opcuacli-dotnet/Commands/WriteCommand.cs

@@ -15,6 +15,12 @@ public class WriteCommand : ICommand
     [CommandOption("url", 'u', Description = "OPC UA server endpoint URL", IsRequired = true)]
     public string Url { get; init; } = default!;
 
+    [CommandOption("username", 'U', Description = "Username for authentication")]
+    public string? Username { get; init; }
+
+    [CommandOption("password", 'P', Description = "Password for authentication")]
+    public string? Password { get; init; }
+
     /// <summary>
     /// Gets the node identifier that should receive the write.
     /// </summary>
@@ -33,7 +39,7 @@ public class WriteCommand : ICommand
     /// <param name="console">The console used to report the write result.</param>
     public async ValueTask ExecuteAsync(IConsole console)
     {
-        using var session = await OpcUaHelper.ConnectAsync(Url);
+        using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password);
 
         var node = new NodeId(NodeId);
         var current = await session.ReadValueAsync(node);

tools/opcuacli-dotnet/OpcUaHelper.cs

@@ -11,7 +11,7 @@ public static class OpcUaHelper
     /// </summary>
     /// <param name="endpointUrl">The OPC UA endpoint URL to connect to.</param>
     /// <returns>An active OPC UA client session.</returns>
-    public static async Task<Session> ConnectAsync(string endpointUrl)
+    public static async Task<Session> ConnectAsync(string endpointUrl, string? username = null, string? password = null)
     {
         var config = new ApplicationConfiguration
         {
@@ -53,13 +53,17 @@ public static class OpcUaHelper
         var endpointConfig = EndpointConfiguration.Create(config);
         var configuredEndpoint = new ConfiguredEndpoint(null, endpoint, endpointConfig);
 
+        UserIdentity identity = (username != null)
+            ? new UserIdentity(username, System.Text.Encoding.UTF8.GetBytes(password ?? ""))
+            : new UserIdentity();
+
         var session = await Session.Create(
             config,
             configuredEndpoint,
             false,
             "OpcUaCli",
             60000,
-            null,
+            identity,
             null);
 
         return session;

tools/opcuacli-dotnet/README.md

@@ -5,6 +5,21 @@ Command-line utility for testing OPC UA server functions. Built with the [OPC Fo
 - **Runtime**: .NET 10
 - **OPC UA Client**: OPCFoundation.NetStandard.Opc.Ua.Client
 
+## Authentication
+
+All commands accept optional authentication flags:
+
+| Flag | Description |
+|------|-------------|
+| `-U` | Username for authentication |
+| `-P` | Password for authentication |
+
+Without credentials, the client connects anonymously. Example:
+
+```
+dotnet run -- write -u opc.tcp://localhost:4840/LmxOpcUa -n "ns=1;s=TestMachine_001.MachineID" -v "Hello" -U operator -P op123
+```
+
 ## Build & Run
 
 ```bash