OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key

Post on 19-Jun-2015

440 views 2 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

You can't re-invent the last 20 years of security. It took OpenID Connect and UMA working groups five years *each* to develop these standards. Not only do they address most of today's IoT security needs, but many hundreds more which will be teased out over time.

Transcript of OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key

OAuth2 profiles:OpenID Connect / UMA

Why adopt for IOT?

OAuth2Identity Standardspoised for significantsuccess...

WAM

* WAM = Web Access Management (SiteMinder, Oracle Access Manager, etc.)

OpenID Connect

http://openid.net/connect

http://openid.net/connect
http://openid.net/connect

Connect DiscoveryGET request to https://<host>/.well-known/openid-configuration

See specification: http://openid.net/specs/openid-connect-registration-1_0.html

See sample Response: http://seed.gluu.org/.well-known/openid-configuration

http://openid.net/specs/openid-connect-registration-1_0.html
http://seed.gluu.org/.well-known/openid-configuration

Connect Dynamic Client RegistrationSee specification: http://openid.net/specs/openid-connect-registration-1_0.html

See sample Dynamic Client Registration html form: http://seed.gluu.org/oxauth-rp

http://openid.net/specs/openid-connect-registration-1_0.html
http://seed.gluu.org/oxauth-rp

Connect Authentication, User Claims and Client ClaimsSee specification: http://openid.net/specs/openid-connect-core-1_0.html

Overview of four flows: http://www.gluu.co/connect-flows

http://openid.net/specs/openid-connect-core-1_0.html
http://www.gluu.co/connect-flows

Authentication + Claims != Access Control

Policy Decision Point UMA Authorization Server

Policy Enforcement Point UMA Resource Server

UMAWorking Group Home Page: http://www.gluu.co/uma-wg

By presenting an authorized RPT token, the Resource Server can verify that access has been granted.

The PAT and AAT are just for secure communication.

http://www.gluu.co/uma-wg

UMA does not...

● Define any policy expression language

● Say who makes the decision(although it defines capabilities to enable people to centrally manage policies)

Why adopt these two OAuth2 profiles ???1. 10 years of development based on 10 years of experience.

Both standards started around 2010. From 2001-2010 we gained critical feedback from developers on what kinds of APIs are needed for security.

2. Perfect fit for IOT--in fact designed to solve almost the same exact use cases.3. Does not assume cloud--just standardizes interfaces. Local authorizations

servers should use the same protocol as cloud servers.4. Proven usability by developers--OAuth2 is now industry standard and many

libraries exist. You can start simple.5. Small on the wire: json messaging uses less bandwidth and computing power6. Scales for high-end security requirements. NIST LOA 3 and LOA 4 deployments

are possible.7. Industry consensus exists for OpenID Connect: Google and Microsoft already

supporting it.8. UMA 1.0 standard to be announced at RSA Security in April, 2015

Top related

Integrating OAuth2 & OpenID Connect - InterSystems · 2018-06-26 · o %OAuth2 o API classes, provide user customization to authorization page o Oauth o Internal classes used by framework
 Documents
Demystifying OAuth2 for PHP
 Software
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion Roma 2015
 Software
Sicher in die Cloud mit Angular 2 und Spring Boot · OpenId Connect = Authentifizierung Spring Security kann (nur) OAuth2 mit JWT Prepared Statements mit Spring Data JPA Input Validierung
 Documents
160212 Globus Auth XSEDE Science Gateways · 2016-02-12 · • OAuth 2.0 Authorization Framework – aka OAuth2 • OpenID Connect Core 1.0 – aka OIDC • Allows use of standard
 Documents
OpenID 101
 Technology
apiskeletons-oauth2-doctrine Documentation
 Documents
FHNW OpenID Connect pilot SAML2 OpenID Connect OAuth2 ...
 Documents
Decentralised authorisation: OAuth2€¦ · OAuth history • OAuth 1.0 released in 2007 • Twitter developers realised that OpenID was not going to support delegated API access
 Documents
Understanding OpenID
 Technology
Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig … · OAuth2 and UMA for ACE draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig
 Documents
OAuth2 and Spring Security
 Technology
201210 RFC6749 OAuth2
 Documents
OAuth2 + API Security
 Technology
Using Okta to Protect IL4 Data Okta... · 2020. 6. 30. · Using industry-standard technologies such as SAML, OpenID, OAuth2, and WS-Fed, Okta is designed to provide the benefits
 Documents
Tracking changes in Hybrid Identity environments with … · Tracking changes in Hybrid Identity environments with both Active Directory ... SAML, OAuth2, OpenID Connect ... –Ping
 Documents
OpenID Connect Working Group and OpenID Certification€¦ · OpenID Connect Working Group and OpenID Certification May 21, 2020 Michael B. Jones Identity Standards Architect –Microsoft
 Documents
Oauth2 & OpenID Connect
 Technology
OpenID Security
 Technology
Entwicklung eines Single Sign-On-Systems mit verschiedenen ...4.3.3 OAuth2/OpenID Connect-basierte Authenti zierung . . . . . . . . 26 ... sicherung, wie etwa von Scarfone et al. [13]
 Documents

Copyright © 2022 FDOCUMENTS