Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
OAuth2 profiles: 
OpenID Connect / UMA 
Why adopt for IOT?
OAuth2 
Identity 
Standards 
poised for 
significant 
success... 
WAM 
* WAM = Web Access 
Management (SiteMinder, Oracle ...
OpenID 
Connect 
http://openid.net/connect
Connect Discovery 
GET request to https://<host>/.well-known/openid-configuration 
See specification: 
http://openid.net/s...
Connect Dynamic Client Registration 
See specification: 
http://openid.net/specs/openid-connect-registration-1_0.html 
See...
Connect Authentication, User Claims 
and Client Claims 
See specification: 
http://openid.net/specs/openid-connect-core-1_...
Authentication + Claims != Access Control
Policy Decision Point UMA Authorization Server 
Policy Enforcement Point UMA Resource Server
UMA 
Working Group Home Page: 
http://www.gluu.co/uma-wg 
By presenting an authorized 
RPT token, the Resource 
Server can...
UMA does not... 
● Define any policy expression language 
● Say who makes the decision 
(although it defines capabilities ...
Why adopt these two OAuth2 profiles ??? 
1. 10 years of development based on 10 years of experience. 
Both standards start...
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
Upcoming SlideShare
Loading in …5
×

OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key

2,336 views

Published on

You can't re-invent the last 20 years of security. It took OpenID Connect and UMA working groups five years *each* to develop these standards. Not only do they address most of today's IoT security needs, but many hundreds more which will be teased out over time.

Published in: Internet
  • Be the first to comment

OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key

  1. 1. OAuth2 profiles: OpenID Connect / UMA Why adopt for IOT?
  2. 2. OAuth2 Identity Standards poised for significant success... WAM * WAM = Web Access Management (SiteMinder, Oracle Access Manager, etc.)
  3. 3. OpenID Connect http://openid.net/connect
  4. 4. Connect Discovery GET request to https://<host>/.well-known/openid-configuration See specification: http://openid.net/specs/openid-connect-registration-1_0.html See sample Response: http://seed.gluu.org/.well-known/openid-configuration
  5. 5. Connect Dynamic Client Registration See specification: http://openid.net/specs/openid-connect-registration-1_0.html See sample Dynamic Client Registration html form: http://seed.gluu.org/oxauth-rp
  6. 6. Connect Authentication, User Claims and Client Claims See specification: http://openid.net/specs/openid-connect-core-1_0.html Overview of four flows: http://www.gluu.co/connect-flows
  7. 7. Authentication + Claims != Access Control
  8. 8. Policy Decision Point UMA Authorization Server Policy Enforcement Point UMA Resource Server
  9. 9. UMA Working Group Home Page: http://www.gluu.co/uma-wg By presenting an authorized RPT token, the Resource Server can verify that access has been granted. The PAT and AAT are just for secure communication.
  10. 10. UMA does not... ● Define any policy expression language ● Say who makes the decision (although it defines capabilities to enable people to centrally manage policies)
  11. 11. Why adopt these two OAuth2 profiles ??? 1. 10 years of development based on 10 years of experience. Both standards started around 2010. From 2001-2010 we gained critical feedback from developers on what kinds of APIs are needed for security. 2. Perfect fit for IOT--in fact designed to solve almost the same exact use cases. 3. Does not assume cloud--just standardizes interfaces. Local authorizations servers should use the same protocol as cloud servers. 4. Proven usability by developers--OAuth2 is now industry standard and many libraries exist. You can start simple. 5. Small on the wire: json messaging uses less bandwidth and computing power 6. Scales for high-end security requirements. NIST LOA 3 and LOA 4 deployments are possible. 7. Industry consensus exists for OpenID Connect: Google and Microsoft already supporting it. 8. UMA 1.0 standard to be announced at RSA Security in April, 2015

×