Federated Identity for IoT with OAuth2
-
Upload
paul-fremantle -
Category
Technology
-
view
2.086 -
download
9
description
Transcript of Federated Identity for IoT with OAuth2
![Page 1: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/1.jpg)
Federated Iden*ty for IoT with OAuth Paul Fremantle
CTO, WSO2 ([email protected]) PhD researcher, Portsmouth University
([email protected]) @pzfreo
![Page 2: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/2.jpg)
How this will work
• Quick intro to Federated Iden*ty and Access Management
• Even quicker introduc*on to OAuth2 • MQTT overview • Demo • Issues • Next steps
![Page 3: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/3.jpg)
![Page 4: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/4.jpg)
What is Federated Iden*ty and Access Management (FIAM)?
Federated IAM aims to give You control over your creden*als and access: • You don’t give your userid/pw to anyone • You control the grant of permissions • LinkedIn example • OAuth2 emerging as widely used approach
![Page 5: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/5.jpg)
Why FIAM for IoT?
• Your device = Your data • Tokens are beYer than u/p for devices • Manage tokens and scopes independently of the device
![Page 6: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/6.jpg)
Tokens
![Page 7: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/7.jpg)
Why OAuth2?
• Widely implemented • PreYy good – Of course there is never 100% agreement – Or certainty with security protocols
• Not just HTTP: – hYp://tools.ie^.org/html/dra_-‐ie^-‐kiYen-‐sasl-‐oauth-‐12
– OAuth2 used with SSL
![Page 8: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/8.jpg)
Three-‐legged OAuth
![Page 9: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/9.jpg)
MQTT
![Page 10: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/10.jpg)
MQTT • Very lightweight messaging protocol – Designed for 8-‐bit controllers, SCADA, etc – Low power, low bandwidth – Binary header of 2 bytes – Lots of implementa*ons
• MosquiYo from Eclipse • Apache Ac*veMQ and Apollo
– Clients: • Arduino, Perl, Python, PHP, C, Java, JS/Node.js, .Net, etc
• Plus an even lighter-‐weight version for Zigbee – MQTT-‐SN (Sensor Network)
![Page 11: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/11.jpg)
![Page 12: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/12.jpg)
Demo components
MosquiYo (Open Source MQTT
Broker)
Ac*ng as “Resource Server”
MosquiYo_py_auth
mqY-‐oauth2.py
IdP
WSO2 Iden*ty Server
ESB Introspec*on
API
Refresher.py
Arduino
CreateToken.py 1
2
3
4
5
6
![Page 13: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/13.jpg)
Demo steps • 1. Get an access-‐token / refresh-‐token • 2. Encode it into the Arduino code, compile, burn • 3. Reboot Arduino • 4. Arduino tries access token • 5. Arduino connects as “refresh user” and requests refresh
token • 6. Arduino receives updated access token and reconnects • 7. Arduino starts to publish data (assuming it is allowed!) • 8. Python client receives data using a previously authorized
token
![Page 14: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/14.jpg)
Step 1. Get a token
• Simple python script and web browser • Encodes the requested permission “scopes” as b64 encoded JSON (ugly but works!)
• scope = '[{"rw":"w","topic":"/pzf/#"}]’ • IdP = WSO2 Iden*ty Server – open source Oauth server
• Redirects to a localhost server which prints the code
![Page 15: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/15.jpg)
Step 2. Burn into Arduino
• LiYle program burns into EEPROM
![Page 16: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/16.jpg)
Step 3, 4, 5, 6 Recode Arduino with App
• App tries access token to CONNECT • If fails, retries as user “r” (refresh) – Ideally this would be a separate server / IdP-‐based broker
• Sends {clien*d, refresh_token} to topic /r • Subscribes to /c/{clien*d} • When new access_token arrives, saves in EEPROM and reconnects
![Page 17: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/17.jpg)
Step 7. Arduino publishes data
• MPU 9150 • Yaw, Pitch, Roll • Every publish is validated against the IdP – Should be cached by the resource server
![Page 18: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/18.jpg)
Step 8. Python client subscribes
• Subscriber.py
![Page 19: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/19.jpg)
Lessons learnt • MQTT and MPU / I2C code is 97% of Duemilanove
– Adding the final logic to do OAuth2 flow pushed it to 99% – No TLS in this demo is a big issue
• Different Oauth implementa*ons behave differently (e.g. changing the refresh token every *me you refresh)
• Need to be able to update the scope of token if this will work for long term embedded devices
• The refresh flow should not really go via the Resource server – Easy fix
• MQTT should have a well defined model for sending a message to just one client (securely)
![Page 20: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/20.jpg)
Next steps
• Do the same for CoAP / other IoT protocols • Implement solidly J • Gain agreement on the specific MQTT • Other FIAM approaches for IoT? • Please feel free to contact me: – @pzfreo – [email protected]
![Page 21: Federated Identity for IoT with OAuth2](https://reader034.fdocuments.in/reader034/viewer/2022051514/54b6e8f84a7959aa218b4616/html5/thumbnails/21.jpg)
Ques*ons?