OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)

OAuth 2.0 and The Internet of ThingsA brief overview of security architecture in the world of IoTJacob Ideskog – Identity Specialist at Twobo Technologies

OAuth 2.0

Actors

Resource Owner (RO) Authorization Server (AS)

ClientResource Server (RS)

Actors

This user

Actors

Wants this app

Actors

To access data HERE

Actors

Resource Owner (RO)

Authorization Server (AS)

Authentication Server

The client requests access to a Resource

Resource Owner (RO)

Client

Resource Server (RS)

The AS requires the RO to authenticate

Resource Owner (RO)

Client

The AS issues the tokens

Resource Owner (RO)

Client

The Client presents the token to the RS

Resource Owner (RO)

Client

The RS validates the Token

Resource Owner (RO)

Access!

Resource Owner (RO)

Client

A note about the access token

Why did that work?

Zoom in

Resource Owner (RO)

Client

Zoom in

Resource Owner (RO)

Client

Resource Owner (RO)

Client

- Everybody must use TLS- We know who we talk to- We use Bearer tokens- We encrypt the communication- Massive trust infrastructure

Constrained environments

Problems

- Battery powered- Mostly or always offline- Limited calculation

capabilities- Attractive target for attack

Protocols

HTTPHTTP/2CoAP

Custom

Protocols

HTTPHTTP/2CoAP

Custom

Security

Example 1

We’re lacking the central point of trust (PKI)

Back to OAuth

Prove who you are

User Authentication Device Authentication

Start as usual

authorization_code = XYZ

Start as usual

authorization_code = XYZ

The user is authenticated

OAuth with Proof of Possession

client_id = device123client_secret = supersecretscope = read_ekgaudience = ekg_device_ABCauthorization_code = XYZ...key = a_shortlived_key

Request access token

Provide ephemeral key

access_token = 0ddfbmd-dnndjv…

Response with access token

Token is ”bound” to the key_id

access_token = 0ddfbmd-dnndjv…

Response with access token

Token is ”bound” to the key_id

The client is authenticated

access_token”start_session”

Authorization Server (AS)access_token

Authorization Server (AS)key

Disconnected devices

Example 2

Disconnected flow

Client Resource Server (RS)

client_id = ekg_device_ABCclient_secret = supersecretscope = read_resultaudience = connected_tube_123token = original_token...key = a_shortlived_key

Disconnected flow

access_token (JWT)

The JWT with a JWE

Header:{ "alg": "RS256", ... }

Body:{ "iss": "issuer.company.com", "sub": "24400320”, "aud": "connected_tube_123", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "cnf": { "jwe": "eyJhbGciOiJSU0...”}

Header:{ "alg": "RSA-OAEP", "enc": "A128CBC-HS256”}

Body:{ ... "kty": "oct", "alg": "HS256", "k": "ZoRSOrFzN_FzUA5XKMYoVHyzf...” ... }

signed encrypted

But with IoT we can use:

CWTCBOR Web Token (CWT)

Pre-provisoned with AS Trust

Disconnected flow

access_token (JWT)

Disconnected flow

1. Validate JWT2. Extract JWE3. Decrypt JWE

Disconnected flow

Summary

• OAuth is all about Trust• OAuth depends on TLS

• With Proof of Posession it can solve IoT

• Constrained environments can be

• Online or offline• Pre-provisioned with Trust• Does not depend on TLS

OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)

Technology

Transcript of OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)

Trusted D2D-based IoT Resource Access using Smart Contracts · 2019-06-25 · “OAuth 2.0 meets Blockchain for Authorization in Constrained IoT Environments”, IEEE World Forum

The OAuth 2.0 Authorization Frameworkself-issued.info/docs/draft-ietf-oauth-v2-30.pdf · 2012. 7. 15. · The OAuth 2.0 Authorization Framework draft-ietf-oauth-v2-30 Abstract The

OAuth for TeraGrid Gateways - …security.ncsa.illinois.edu/teragrid-oauth/OAuthforTGGateways...OAuth for TeraGrid Gateways Jim Basney Jeff Gaynor

The OAuth 2.0 Authorization Protocol - cleesh.com · The OAuth 2.0 Authorization Protocol draft-ietf-oauth-v2-25 Abstract The OAuth 2.0 authorization protocol enables a third-party

OAuth Passport

Implementing OAuth

The Essential OAuth Primer: Understanding OAuth for Securing Cloud

Mastering OAuth 2 - Adobe Inc.€¦ · leveraging the OAuth 2.0 Authorization Framework Mastering OAuth 2.0 Charles Bihis Mastering OAuth 2.0 OAuth 2.0 is a powerful authorization

Twitter oauth

Twitter4R OAuth

Security Analysis on Consumer and Industrial IoT Devicesjinyier/papers/ASPDAC16_IOT.pdf · Security Analysis on Consumer and Industrial IoT Devices Jacob Wurm 1, Khoa Hoang , Orlando

Identity Workshopinnovbfa.viabloga.com/files//Cloud_Identity_Summit... · OAuth 2.0 OAuth 1 + OAuth-WRAP + IETF = OAuth 2.0 Expanded participation with other major vendors such as

Demystifying OAuth

OAuth you said

H. Tschofenig OAuth 2.0 Security: OAuth Open Redirector · OAuth 2.0 Security: OAuth Open Redirector draft-bradley-oauth-open-redirector-02.txt Abstract This document gives additional

Oracle Access Management OAuth Service€¦ · OAuth 2.0 authorization server and also offers several compelling differentiations to enable the OAuth 2.0 Client and the OAuth 2.0

Entendiendo oAuth

OAuth Tokens

Solving IoT Security Challenges with OAuth 2 · The OAuth 2.0 for Native Apps (draft-ietf-oauth-native-apps> is relevant for this scenario. 16 Independent Gateway Examples Philips

Painless OAuth