OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
-
Upload
nordic-apis -
Category
Technology
-
view
127 -
download
4
Transcript of OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
![Page 1: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/1.jpg)
OAuth 2.0 and The Internet of ThingsA brief overview of security architecture in the world of IoTJacob Ideskog – Identity Specialist at Twobo Technologies
Copyright © 2016 Twobo Technologies AB. All rights reserved
![Page 2: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/2.jpg)
OAuth 2.0
Copyright © 2016 Twobo Technologies AB. All rights reserved
![Page 3: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/3.jpg)
Copyright © 2016 Twobo Technologies AB. All rights reserved
![Page 4: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/4.jpg)
OAuth
Copyright © 2016 Twobo Technologies AB. All rights reserved
![Page 5: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/5.jpg)
Actors
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO) Authorization Server (AS)
ClientResource Server (RS)
![Page 6: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/6.jpg)
Actors
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO) Authorization Server (AS)
ClientResource Server (RS)
This user
![Page 7: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/7.jpg)
Actors
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO) Authorization Server (AS)
ClientResource Server (RS)
Wants this app
![Page 8: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/8.jpg)
Actors
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO) Authorization Server (AS)
ClientResource Server (RS)
To access data HERE
![Page 9: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/9.jpg)
Actors
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Authentication Server
![Page 10: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/10.jpg)
The client requests access to a Resource
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Client
Authorization Server (AS)
Resource Server (RS)
Authentication Server
![Page 11: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/11.jpg)
The AS requires the RO to authenticate
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Client
Authorization Server (AS)
Resource Server (RS)
Authentication Server
![Page 12: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/12.jpg)
The AS issues the tokens
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Client
Authorization Server (AS)
Resource Server (RS)
Authentication Server
![Page 13: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/13.jpg)
The Client presents the token to the RS
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Client
Authorization Server (AS)
Resource Server (RS)
Authentication Server
![Page 14: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/14.jpg)
Authorization Server (AS)
The RS validates the Token
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
ClientResource Server (RS)
Authentication Server
![Page 15: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/15.jpg)
Access!
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Client
Authorization Server (AS)
Resource Server (RS)
Authentication Server
![Page 16: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/16.jpg)
A note about the access token
Copyright © 2016 Twobo Technologies AB. All rights reserved
$
![Page 17: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/17.jpg)
Why did that work?
Copyright © 2016 Twobo Technologies AB. All rights reserved
![Page 18: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/18.jpg)
TLSCopyright © 2016 Twobo Technologies AB. All rights reserved
![Page 19: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/19.jpg)
Zoom in
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Client
Authorization Server (AS)
Resource Server (RS)
Authentication Server
![Page 20: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/20.jpg)
Zoom in
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Client
Authorization Server (AS)
Resource Server (RS)
Authentication Server
![Page 21: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/21.jpg)
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Client
Authorization Server (AS)
Resource Server (RS)
Authentication Server
![Page 22: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/22.jpg)
- Everybody must use TLS- We know who we talk to- We use Bearer tokens- We encrypt the communication- Massive trust infrastructure
Copyright © 2016 Twobo Technologies AB. All rights reserved
![Page 23: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/23.jpg)
Constrained environments
Copyright © 2016 Twobo Technologies AB. All rights reserved
![Page 24: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/24.jpg)
Copyright © 2016 Twobo Technologies AB. All rights reserved
![Page 25: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/25.jpg)
Copyright © 2016 Twobo Technologies AB. All rights reserved
![Page 26: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/26.jpg)
Problems
Copyright © 2016 Twobo Technologies AB. All rights reserved
- Battery powered- Mostly or always offline- Limited calculation
capabilities- Attractive target for attack
![Page 27: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/27.jpg)
Protocols
Copyright © 2016 Twobo Technologies AB. All rights reserved
XMPP
HTTPHTTP/2CoAP
Custom
![Page 28: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/28.jpg)
Protocols
Copyright © 2016 Twobo Technologies AB. All rights reserved
XMPP
HTTPHTTP/2CoAP
Custom
![Page 29: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/29.jpg)
Security
Copyright © 2016 Twobo Technologies AB. All rights reserved
![Page 30: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/30.jpg)
Example 1
Copyright © 2016 Twobo Technologies AB. All rights reserved
![Page 31: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/31.jpg)
We’re lacking the central point of trust (PKI)
Copyright © 2016 Twobo Technologies AB. All rights reserved
![Page 32: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/32.jpg)
Back to OAuth
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
![Page 33: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/33.jpg)
Prove who you are
Copyright © 2016 Twobo Technologies AB. All rights reserved
![Page 34: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/34.jpg)
Prove who you are
Copyright © 2016 Twobo Technologies AB. All rights reserved
User Authentication Device Authentication
![Page 35: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/35.jpg)
Start as usual
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Authentication Server
![Page 36: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/36.jpg)
Start as usual
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Authentication Server
![Page 37: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/37.jpg)
Start as usual
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Authentication Server
![Page 38: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/38.jpg)
Start as usual
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Authentication Server
![Page 39: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/39.jpg)
Start as usual
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Authentication Server
authorization_code = XYZ
![Page 40: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/40.jpg)
Start as usual
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Authentication Server
authorization_code = XYZ
The user is authenticated
![Page 41: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/41.jpg)
OAuth with Proof of Possession
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
client_id = device123client_secret = supersecretscope = read_ekgaudience = ekg_device_ABCauthorization_code = XYZ...key = a_shortlived_key
Request access token
Provide ephemeral key
![Page 42: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/42.jpg)
OAuth with Proof of Possession
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
access_token = 0ddfbmd-dnndjv…
Response with access token
Token is ”bound” to the key_id
![Page 43: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/43.jpg)
OAuth with Proof of Possession
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
access_token = 0ddfbmd-dnndjv…
Response with access token
Token is ”bound” to the key_id
The client is authenticated
![Page 44: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/44.jpg)
OAuth with Proof of Possession
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
access_token”start_session”
![Page 45: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/45.jpg)
OAuth with Proof of Possession
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)access_token
![Page 46: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/46.jpg)
OAuth with Proof of Possession
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)key
![Page 47: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/47.jpg)
OAuth with Proof of Possession
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
OK
![Page 48: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/48.jpg)
OAuth with Proof of Possession
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
![Page 49: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/49.jpg)
Disconnected devices
Copyright © 2016 Twobo Technologies AB. All rights reserved
![Page 50: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/50.jpg)
Example 2
Copyright © 2016 Twobo Technologies AB. All rights reserved
![Page 51: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/51.jpg)
Disconnected flow
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Client Resource Server (RS)
client_id = ekg_device_ABCclient_secret = supersecretscope = read_resultaudience = connected_tube_123token = original_token...key = a_shortlived_key
![Page 52: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/52.jpg)
Disconnected flow
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Client Resource Server (RS)
access_token (JWT)
![Page 53: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/53.jpg)
The JWT with a JWE
Copyright © 2016 Twobo Technologies AB. All rights reserved
Header:{ "alg": "RS256", ... }
Body:{ "iss": "issuer.company.com", "sub": "24400320”, "aud": "connected_tube_123", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "cnf": { "jwe": "eyJhbGciOiJSU0...”}
Header:{ "alg": "RSA-OAEP", "enc": "A128CBC-HS256”}
Body:{ ... "kty": "oct", "alg": "HS256", "k": "ZoRSOrFzN_FzUA5XKMYoVHyzf...” ... }
signed encrypted
![Page 54: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/54.jpg)
But with IoT we can use:
Copyright © 2016 Twobo Technologies AB. All rights reserved
CWTCBOR Web Token (CWT)
![Page 55: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/55.jpg)
Pre-provisoned with AS Trust
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Client Resource Server (RS)
![Page 56: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/56.jpg)
Disconnected flow
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Client Resource Server (RS)
access_token (JWT)
![Page 57: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/57.jpg)
Disconnected flow
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Client Resource Server (RS)
1. Validate JWT2. Extract JWE3. Decrypt JWE
![Page 58: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/58.jpg)
Disconnected flow
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Client Resource Server (RS)
OK
![Page 59: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/59.jpg)
Disconnected flow
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Client Resource Server (RS)
![Page 60: OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)](https://reader037.fdocuments.us/reader037/viewer/2022102720/58aba9741a28abdf3c8b5db5/html5/thumbnails/60.jpg)
Summary
Copyright © 2016 Twobo Technologies AB. All rights reserved
• OAuth is all about Trust• OAuth depends on TLS
• With Proof of Posession it can solve IoT
• Constrained environments can be
• Online or offline• Pre-provisioned with Trust• Does not depend on TLS