Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 - - PowerPoint PPT Presentation

▶

Dec 18, 2023 47 likes •148 views

Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se) Gran Selander (goran.selander@ericsson.com) Erik Wahlstrm (erik.wahlstrom@nexusgroup.com) Samuel Erdtman (samuel.erdtman@nexusgroup.com) Hannes

SLIDE 1

Authorization for IoT using OAuth

draft-seitz-ace-oauth-authz-00

Ludwig Seitz (ludwig@sics.se) Göran Selander (goran.selander@ericsson.com) Erik Wahlström (erik.wahlstrom@nexusgroup.com) Samuel Erdtman (samuel.erdtman@nexusgroup.com) Hannes T schofenig (hannes.tschofenig@arm.com)

IETF ACE WG meeting November, 2015

SLIDE 2

2

This draft

Merge of two proposals

– ACRE

draft-seitz-ace-core-authz

– OAuth

draft-tschofenig-ace-oauth-iot
draft-wahlstroem-ace-oauth-introspection

SLIDE 3

3

Design Principles

1) Allow security at difgerent layers

2) Allow difgerent authorization schemes 3) RESTful transfer of authorization information 4) (New!) Build on existing authorization protocols

OAuth 2.0 (profjled for CoRE)
Building blocks: CoAP, CBOR, COSE, OSCOAP

SLIDE 4

4

Basic OAuth Flow

+--------+ +---------------+ | |---(A)-- Token Request ------------->| | | | | Authorization | | |<--(B)-- Access Token ---------------| Server | | | + Client Information | | | | +---------------+ | | ^ | | | Introspection Request & Response (D)| |(E) | Client | | v | | +--------------+ | |---(C)-- Token + Request ----------->| | | | | Resource | | |<--(F)-- Protected Resource ---------| Server | | | | | +--------+ +--------------+

Difgerent deployment scenarios
Not all steps in every scenario

SLIDE 5

5

Profjling OAuth 2.0 for CoRE

AS support for setting up Communication Security

– Establish security context and security protocol C ↔ RS

Resource for sending access tokens to RS

– For provisioning the token independently of the request

Authorization Information Format

– Interoperable format for access control data in tokens

CBOR instead of JSON

– More compact tokens and client information

CBOR Web T
kens

– Compact variant of JSON Web T

kens (JWT)

→ Enable the difgerent constrained scenarios

SLIDE 6

Example: RS has intermittent connectivity

+--------+ +---------------+ | |---(A)-- Token Request ------------->| | | | | Authorization | | |<--(B)-- Self-contained Token -------| Server | | | + Client Information | | | | +---------------+ | | | | | Client | | | +--------------+ | |---(C)-- Token + Request ----------->| | | | | Resource | | |<--(F)-- Protected Resource ---------| Server | | | | | +--------+ +--------------+

Token needs to be self-contained, i.e. RS can evaluate it offline

SLIDE 7

Example: C has intermittent connectivity

+--------+ +---------------+ | |---(A)-- Token Request ------------->| | | | | Authorization | | |<--(B)-- Reference Token ------------| Server | | | + Client Information | | | | +---------------+ | | ^ | | | Introspection Request & Response (D)| |(E) | Client | | v | | +--------------+ | |---(C)-- Token + Request ----------->| | | | | Resource | | |<--(F)-- Protected Resource ---------| Server | | | | | +--------+ +--------------+

A + B done when client has connectivity, e.g. at commissioning
Token may be a reference (i.e. does not encode specific rights)

SLIDE 8

8

Advantages

OAuth already an IETF standard

– Well-established – Widely deployed

Interoperable (Internet ↔ Internet of Things)
Compatible with existing IAM frameworks and

policies already used with other OAuth deployments

Optimized to meet CoRE constraints

SLIDE 9

9

Next Steps

Details of OAuth profjling
Check integration with OMA LWM2M

SLIDE 10