OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
12
OAuth2 profiles: OpenID Connect / UMA Why adopt for IOT?
-
Upload
mike-schwartz -
Category
Internet
-
view
440 -
download
2
description
You can't re-invent the last 20 years of security. It took OpenID Connect and UMA working groups five years *each* to develop these standards. Not only do they address most of today's IoT security needs, but many hundreds more which will be teased out over time.
Transcript of OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 profiles:OpenID Connect / UMA
Why adopt for IOT?
OAuth2Identity Standardspoised for significantsuccess...
WAM
* WAM = Web Access Management (SiteMinder, Oracle Access Manager, etc.)
Connect DiscoveryGET request to https://<host>/.well-known/openid-configuration
See specification: http://openid.net/specs/openid-connect-registration-1_0.html
See sample Response: http://seed.gluu.org/.well-known/openid-configuration
Connect Dynamic Client RegistrationSee specification: http://openid.net/specs/openid-connect-registration-1_0.html
See sample Dynamic Client Registration html form: http://seed.gluu.org/oxauth-rp
Connect Authentication, User Claims and Client ClaimsSee specification: http://openid.net/specs/openid-connect-core-1_0.html
Overview of four flows: http://www.gluu.co/connect-flows
Authentication + Claims != Access Control
Policy Decision Point UMA Authorization Server
Policy Enforcement Point UMA Resource Server
UMAWorking Group Home Page: http://www.gluu.co/uma-wg
By presenting an authorized RPT token, the Resource Server can verify that access has been granted.
The PAT and AAT are just for secure communication.
UMA does not...
● Define any policy expression language
● Say who makes the decision(although it defines capabilities to enable people to centrally manage policies)
Why adopt these two OAuth2 profiles ???1. 10 years of development based on 10 years of experience.
Both standards started around 2010. From 2001-2010 we gained critical feedback from developers on what kinds of APIs are needed for security.
2. Perfect fit for IOT--in fact designed to solve almost the same exact use cases.3. Does not assume cloud--just standardizes interfaces. Local authorizations
servers should use the same protocol as cloud servers.4. Proven usability by developers--OAuth2 is now industry standard and many
libraries exist. You can start simple.5. Small on the wire: json messaging uses less bandwidth and computing power6. Scales for high-end security requirements. NIST LOA 3 and LOA 4 deployments
are possible.7. Industry consensus exists for OpenID Connect: Google and Microsoft already
supporting it.8. UMA 1.0 standard to be announced at RSA Security in April, 2015
![Entwicklung eines Single Sign-On-Systems mit verschiedenen ...4.3.3 OAuth2/OpenID Connect-basierte Authenti zierung . . . . . . . . 26 ... sicherung, wie etwa von Scarfone et al. [13]](https://static.fdocuments.in/doc/165x107/5f0de76d7e708231d43ca7b7/entwicklung-eines-single-sign-on-systems-mit-verschiedenen-433-oauth2openid.jpg)