oauth2 for iot security: why openid connect & uma are they key
DESCRIPTION
You can't re-invent the last 20 years of security. It took OpenID Connect and UMA working groups five years *each* to develop these standards. Not only do they address most of today's IoT security needs, but many hundreds more which will be teased out over time.TRANSCRIPT
![Page 1: OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key](https://reader035.vdocuments.us/reader035/viewer/2022081401/55838a5dd8b42a8e0c8b4c91/html5/thumbnails/1.jpg)
OAuth2 profiles:OpenID Connect / UMA
Why adopt for IOT?
![Page 2: OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key](https://reader035.vdocuments.us/reader035/viewer/2022081401/55838a5dd8b42a8e0c8b4c91/html5/thumbnails/2.jpg)
OAuth2Identity Standardspoised for significantsuccess...
WAM
* WAM = Web Access Management (SiteMinder, Oracle Access Manager, etc.)
![Page 4: OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key](https://reader035.vdocuments.us/reader035/viewer/2022081401/55838a5dd8b42a8e0c8b4c91/html5/thumbnails/4.jpg)
Connect DiscoveryGET request to https://<host>/.well-known/openid-configuration
See specification: http://openid.net/specs/openid-connect-registration-1_0.html
See sample Response: http://seed.gluu.org/.well-known/openid-configuration
![Page 5: OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key](https://reader035.vdocuments.us/reader035/viewer/2022081401/55838a5dd8b42a8e0c8b4c91/html5/thumbnails/5.jpg)
Connect Dynamic Client RegistrationSee specification: http://openid.net/specs/openid-connect-registration-1_0.html
See sample Dynamic Client Registration html form: http://seed.gluu.org/oxauth-rp
![Page 6: OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key](https://reader035.vdocuments.us/reader035/viewer/2022081401/55838a5dd8b42a8e0c8b4c91/html5/thumbnails/6.jpg)
Connect Authentication, User Claims and Client ClaimsSee specification: http://openid.net/specs/openid-connect-core-1_0.html
Overview of four flows: http://www.gluu.co/connect-flows
![Page 7: OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key](https://reader035.vdocuments.us/reader035/viewer/2022081401/55838a5dd8b42a8e0c8b4c91/html5/thumbnails/7.jpg)
Authentication + Claims != Access Control
![Page 8: OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key](https://reader035.vdocuments.us/reader035/viewer/2022081401/55838a5dd8b42a8e0c8b4c91/html5/thumbnails/8.jpg)
Policy Decision Point UMA Authorization Server
Policy Enforcement Point UMA Resource Server
![Page 9: OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key](https://reader035.vdocuments.us/reader035/viewer/2022081401/55838a5dd8b42a8e0c8b4c91/html5/thumbnails/9.jpg)
UMAWorking Group Home Page: http://www.gluu.co/uma-wg
By presenting an authorized RPT token, the Resource Server can verify that access has been granted.
The PAT and AAT are just for secure communication.
![Page 10: OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key](https://reader035.vdocuments.us/reader035/viewer/2022081401/55838a5dd8b42a8e0c8b4c91/html5/thumbnails/10.jpg)
UMA does not...
● Define any policy expression language
● Say who makes the decision(although it defines capabilities to enable people to centrally manage policies)
![Page 11: OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key](https://reader035.vdocuments.us/reader035/viewer/2022081401/55838a5dd8b42a8e0c8b4c91/html5/thumbnails/11.jpg)
![Page 12: OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key](https://reader035.vdocuments.us/reader035/viewer/2022081401/55838a5dd8b42a8e0c8b4c91/html5/thumbnails/12.jpg)
Why adopt these two OAuth2 profiles ???1. 10 years of development based on 10 years of experience.
Both standards started around 2010. From 2001-2010 we gained critical feedback from developers on what kinds of APIs are needed for security.
2. Perfect fit for IOT--in fact designed to solve almost the same exact use cases.3. Does not assume cloud--just standardizes interfaces. Local authorizations
servers should use the same protocol as cloud servers.4. Proven usability by developers--OAuth2 is now industry standard and many
libraries exist. You can start simple.5. Small on the wire: json messaging uses less bandwidth and computing power6. Scales for high-end security requirements. NIST LOA 3 and LOA 4 deployments
are possible.7. Industry consensus exists for OpenID Connect: Google and Microsoft already
supporting it.8. UMA 1.0 standard to be announced at RSA Security in April, 2015