SlideShare a Scribd company logo

Identity for IoT: An Authentication Framework for the IoT

AllSeen Alliance
AllSeen Alliance

John Bradley, Ping Identity, gave this presentation at the AllSeen Alliance's Partner Programme at Mobile World Congress 2015. About Ping Identity: Ping Identity provides next-generation identity security solutions. With more than 1,200 enterprise customers worldwide, including half of the Fortune 100, Ping Identity delivers professional-grade identity security solutions that meet the needs of organizations managing workforce, customer, and partner identities. Identity at Internet scale is a concept that will be required as the industry builds services that encompass billions of connected devices and identities.

Technology
1 of 17
Download to read offline
AN AUTHENTICATION FRAMEWORK FOR THE IOT John Bradley Copyright © 2014 Ping Identity Corp.All rights reserved. 1
Premise Copyright © 2014 Ping Identity Corp.All rights reserved. 2 •  The full promise of the Internet of Things (IoT) can only be realized if the many and varied interactions between users, things, cloud services and applications can be authenticated. •  User delegated consent will be necessary for any scenario where potentially privacy sensitive data is collected and transferred (wearables, home automation, health, etc). •  OAuth 2.0 and OpenID Connect 1.0 are two authentication and authorization standards that promise to serve as important tools for the IoT’s authentication and authorization requirements
Who are the actors Copyright © 2014 Ping Identity Corp.All rights reserved. 3 • Things/devices • Users • Applications • Clouds • Gateways
Who are the actors Copyright © 2014 Ping Identity Corp.All rights reserved. 4 • Things/devices • Users • Applications • Clouds • Gateways All of which need to be authenticated
Authentication & Authorization Model Copyright © 2014 Ping Identity Corp.All rights reserved. 5 •  IoT Actors authenticate by presenting security tokens on their calls/messages to each other •  Tokens represent relationship between the relevant user and the calling actor (and any consents/permissions associated with that relationship •  Upon receiving a message, an actor validates the token to verify the request is consistent with the relationship/permissions •  If consent is removed, token is revoked, and access disabled •  OAuth 2.0 & OpenID Connect 1.0 are two authentication & authorization frameworks that enable this model
OAuth 2.0 Copyright © 2014 Ping Identity Corp.All rights reserved. 6 •  OAuth 2.0 is an IETF standard authentication & authorization framework for securing application access to RESTful APIs •  OAuth allows a Client (an application that desires information) to send an API query to a Resource Server (RS), the application hosting the desired information, such that the RS can authenticate that the message was indeed sent by the Client. •  The Client authenticates to the RS through the inclusion of an access token on its API call—a token previously provided to the Client by an Authorization Server (AS). •  In those scenarios that the API in question protects access to a User’s identity attributes, it may be the case that the access token will only be issued by the AS after the User has explicitly given consent to the Client accessing those attributes.
OpenID Connect 1.0 Copyright © 2014 Ping Identity Corp.All rights reserved. 7 •  OpenID Connect 1.0 is an OIDF standard that profiles and extends OAuth 2.0 to add an identity layer—creating a single framework that promises to secure APIs, mobile native applications and browser applications in a single, cohesive architecture. •  OpenID Connect adds two notable identity constructs to OAuth’s token issuance model. –  An identity token—the delivery of which, from one party to another, can enable a federated SSO user experience for a user. –  A standardized identity attribute API—at which a client can retrieve the desired identity attributes for a given user. •  If your use case requires something more than authentication and authorization of API calls, Connect’s features that go beyond OAuth become relevant.
Representative IoT architecture Copyright © 2014 Ping Identity Corp.All rights reserved. 8 • Fitbit makes Aria smart scale • Scale syncs through home Wifi to Fitbit cloud for display & analysis through web & native applications • 3rd party services can access weight data to provide additional insight
Architecture requirements Copyright © 2014 Ping Identity Corp.All rights reserved. 9 • User weight data is personal and must be protected against compromise • Additionally, weight data must only be shared by Fitbit when consistent with user policy
Architecture Copyright © 2014 Ping Identity Corp.All rights reserved. 10 FitBit Proprietary 3rd party services REST API REST API
Architecture Copyright © 2014 Ping Identity Corp.All rights reserved. 11 FitBit Proprietary 3rd party services REST API REST API Lets examine how OAuth & Connect can apply here
Cloud to cloud Copyright © 2014 Ping Identity Corp.All rights reserved. 12 •  TrendWeight offers additional insight & analysis of weight data •  Pulls scale data from Fitbit cloud REST endpoints •  TrendWeight should use OAuth to authenticate their API calls as being on behalf of particular user •  Because user is involved in token issuance, privacy enabling model
Cloud to Cloud Copyright © 2014 Ping Identity Corp.All rights reserved. 13 Login & consent Weight data
Revocation of authorization Copyright © 2014 Ping Identity Corp.All rights reserved. 14 User can remove permissions assigned 3rd parties
Native Application Copyright © 2014 Ping Identity Corp.All rights reserved. 15 •  Users can view their weight data & trends from ioS & Android native applications •  Native applications pull data from Fitbit cloud REST endpoints •  Native applications should use OAuth to authenticate their API calls as being on behalf of particular user
Device to gateway Copyright © 2014 Ping Identity Corp.All rights reserved. 16 •  Devices communicate with each other and the gateway via the local network— sharing data, sending control messages, etc. •  These local interactions may not use HTTP, but instead a application protocol more optimized to the constraints (CPU size, battery, etc.) of devices. •  Such application protocols include XMPP, MQTT and CoAP. •  Work has begun in exploring how to bind OAuth & Connect to such IoT optimized protocols, e.g.ACE effort in IETF
Conclusion Copyright © 2014 Ping Identity Corp.All rights reserved. 17 • Authentication & authorization of actors is fundamental to IoT security • Mechanisms must be secure, scalable and privacy respecting • OAuth & Connect promise to provide important pieces of authn & authz framework for IoT

Recommended

Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Identacor
 
Security and Authentication of Internet of Things (IoT) Devices
Security and Authentication of Internet of Things (IoT) DevicesSecurity and Authentication of Internet of Things (IoT) Devices
Security and Authentication of Internet of Things (IoT) DevicesSanjayKumarYadav58
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 
IDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTIDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTProf. Jacques Folon (Ph.D)
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access ManagementHitachi ID Systems, Inc.
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access ManagementPrashanth BS
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA Technologies
 

Recommended

Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Identacor
 
Security and Authentication of Internet of Things (IoT) Devices
Security and Authentication of Internet of Things (IoT) DevicesSecurity and Authentication of Internet of Things (IoT) Devices
Security and Authentication of Internet of Things (IoT) DevicesSanjayKumarYadav58
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 
IDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTIDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTProf. Jacques Folon (Ph.D)
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access ManagementHitachi ID Systems, Inc.
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access ManagementPrashanth BS
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA Technologies
 
WAFs.pptx
WAFs.pptxWAFs.pptx
WAFs.pptxHamzaJamil41
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyNetwork Intelligence India
 
Virtual Private Network main
Virtual Private Network mainVirtual Private Network main
Virtual Private Network mainKanika Gupta
 
1 importance of light weight authentication in iot
1 importance of light weight authentication in iot1 importance of light weight authentication in iot
1 importance of light weight authentication in iotChintan Patel
 
Introduction to Amazon Web Services
Introduction to Amazon Web ServicesIntroduction to Amazon Web Services
Introduction to Amazon Web ServicesAmazon Web Services
 
IAM Solution
IAM SolutionIAM Solution
IAM Solutionvikasraina
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access ManagementSam Bowne
 
Vpc (virtual private cloud)
Vpc (virtual private cloud)Vpc (virtual private cloud)
Vpc (virtual private cloud)RashmiDhanve
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
Building Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access ManagementBuilding Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access ManagementGovernment Technology Exhibition and Conference
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity ManagementPrabath Siriwardena
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesAmazon Web Services
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesrahul kundu
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Overview of Amazon Web Services
Overview of Amazon Web ServicesOverview of Amazon Web Services
Overview of Amazon Web ServicesAmazon Web Services
 
The Future of Authentication for IoT
The Future of Authentication for IoTThe Future of Authentication for IoT
The Future of Authentication for IoTFIDO Alliance
 
Developing an IAM Roadmap that Fits Your Business
Developing an IAM Roadmap that Fits Your BusinessDeveloping an IAM Roadmap that Fits Your Business
Developing an IAM Roadmap that Fits Your BusinessForgeRock
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileNordic APIs
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateBjorn Hjelm
 

More Related Content

What's hot

Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Virtual Private Network main
Virtual Private Network mainVirtual Private Network main
Virtual Private Network mainKanika Gupta
 
1 importance of light weight authentication in iot
1 importance of light weight authentication in iot1 importance of light weight authentication in iot
1 importance of light weight authentication in iotChintan Patel
 
Introduction to Amazon Web Services
Introduction to Amazon Web ServicesIntroduction to Amazon Web Services
Introduction to Amazon Web ServicesAmazon Web Services
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access ManagementSam Bowne
 
Vpc (virtual private cloud)
Vpc (virtual private cloud)Vpc (virtual private cloud)
Vpc (virtual private cloud)RashmiDhanve
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity ManagementPrabath Siriwardena
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesrahul kundu
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
The Future of Authentication for IoT
The Future of Authentication for IoTThe Future of Authentication for IoT
The Future of Authentication for IoTFIDO Alliance
 
Developing an IAM Roadmap that Fits Your Business
Developing an IAM Roadmap that Fits Your BusinessDeveloping an IAM Roadmap that Fits Your Business
Developing an IAM Roadmap that Fits Your BusinessForgeRock
 

What's hot (20)

WAFs.pptx
WAFs.pptxWAFs.pptx
WAFs.pptx
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. Mookhey
 
Virtual Private Network main
Virtual Private Network mainVirtual Private Network main
Virtual Private Network main
 
1 importance of light weight authentication in iot
1 importance of light weight authentication in iot1 importance of light weight authentication in iot
1 importance of light weight authentication in iot
 
Introduction to Amazon Web Services
Introduction to Amazon Web ServicesIntroduction to Amazon Web Services
Introduction to Amazon Web Services
 
IAM Solution
IAM SolutionIAM Solution
IAM Solution
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
 
Vpc (virtual private cloud)
Vpc (virtual private cloud)Vpc (virtual private cloud)
Vpc (virtual private cloud)
 
Ipsec
IpsecIpsec
Ipsec
 
Building Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access ManagementBuilding Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access Management
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Overview of Amazon Web Services
Overview of Amazon Web ServicesOverview of Amazon Web Services
Overview of Amazon Web Services
 
The Future of Authentication for IoT
The Future of Authentication for IoTThe Future of Authentication for IoT
The Future of Authentication for IoT
 
Developing an IAM Roadmap that Fits Your Business
Developing an IAM Roadmap that Fits Your BusinessDeveloping an IAM Roadmap that Fits Your Business
Developing an IAM Roadmap that Fits Your Business
 

Similar to Identity for IoT: An Authentication Framework for the IoT

Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileNordic APIs
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateBjorn Hjelm
 
Identity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of ThingsIdentity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of ThingsPing Identity
 
FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of ThingsFIDO Alliance
 
An Overview of the interface of MODRNA and GSMA Mobile Connect
An Overview of the interface of MODRNA and GSMA Mobile ConnectAn Overview of the interface of MODRNA and GSMA Mobile Connect
An Overview of the interface of MODRNA and GSMA Mobile ConnectBjorn Hjelm
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationChristian Glahn
 
The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)Nordic APIs
 
Smart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecuritySmart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecurityAndreas Leicher
 
Securing APIs with oAuth2
Securing APIs with oAuth2Securing APIs with oAuth2
Securing APIs with oAuth2Michae Blakeney
 
1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauthPriyanka Aash
 
Con8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalCon8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalOracleIDM
 
OpenID Foundation MODRNA WG overview at EIC 2019
OpenID Foundation MODRNA WG overview at EIC 2019OpenID Foundation MODRNA WG overview at EIC 2019
OpenID Foundation MODRNA WG overview at EIC 2019Bjorn Hjelm
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New BlackWSO2
 
Connecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldConnecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldPing Identity
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlAaronLieberman5
 

Similar to Identity for IoT: An Authentication Framework for the IoT (20)

Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and Mobile
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG Update
 
Identity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of ThingsIdentity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of Things
 
FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things
 
An Overview of the interface of MODRNA and GSMA Mobile Connect
An Overview of the interface of MODRNA and GSMA Mobile ConnectAn Overview of the interface of MODRNA and GSMA Mobile Connect
An Overview of the interface of MODRNA and GSMA Mobile Connect
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
 
The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)
 
Smart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecuritySmart OpenID & Mobile Network Security
Smart OpenID & Mobile Network Security
 
Securing APIs with oAuth2
Securing APIs with oAuth2Securing APIs with oAuth2
Securing APIs with oAuth2
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauth
 
Con8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalCon8823 access management for the internet of things-final
Con8823 access management for the internet of things-final
 
OpenID Foundation MODRNA WG overview at EIC 2019
OpenID Foundation MODRNA WG overview at EIC 2019OpenID Foundation MODRNA WG overview at EIC 2019
OpenID Foundation MODRNA WG overview at EIC 2019
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black
 
Connecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldConnecting The Real World With The Virtual World
Connecting The Real World With The Virtual World
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
 

More from AllSeen Alliance

Programming the Internet of Things: Why Devices Need APIs
Programming the Internet of Things: Why Devices Need APIsProgramming the Internet of Things: Why Devices Need APIs
Programming the Internet of Things: Why Devices Need APIsAllSeen Alliance
 
Designing for Interoperability
Designing for InteroperabilityDesigning for Interoperability
Designing for InteroperabilityAllSeen Alliance
 
Introduction to the AllJoyn Gateway Agent
Introduction to the AllJoyn Gateway Agent Introduction to the AllJoyn Gateway Agent
Introduction to the AllJoyn Gateway Agent AllSeen Alliance
 
Building Universal Windows Apps with AllJoyn
Building Universal Windows Apps with AllJoynBuilding Universal Windows Apps with AllJoyn
Building Universal Windows Apps with AllJoynAllSeen Alliance
 
Internet of Everything Development Using AllJoyn
Internet of Everything Development Using AllJoynInternet of Everything Development Using AllJoyn
Internet of Everything Development Using AllJoynAllSeen Alliance
 
Wearables and IoT Strategy
Wearables and IoT StrategyWearables and IoT Strategy
Wearables and IoT StrategyAllSeen Alliance
 
Mobile interoperability and business productivity
Mobile interoperability and business productivityMobile interoperability and business productivity
Mobile interoperability and business productivityAllSeen Alliance
 
Standards and Interoperability: Creating a whole that is bigger than the sum ...
Standards and Interoperability: Creating a whole that is bigger than the sum ...Standards and Interoperability: Creating a whole that is bigger than the sum ...
Standards and Interoperability: Creating a whole that is bigger than the sum ...AllSeen Alliance
 
Open Sourcing the User Experience for the IoT
Open Sourcing the User Experience for the IoTOpen Sourcing the User Experience for the IoT
Open Sourcing the User Experience for the IoTAllSeen Alliance
 
Kalay Platform Enhancing Multimedia on AllJoyn Devices
Kalay Platform Enhancing Multimedia on AllJoyn DevicesKalay Platform Enhancing Multimedia on AllJoyn Devices
Kalay Platform Enhancing Multimedia on AllJoyn DevicesAllSeen Alliance
 
Developing Interoperable IoT Controls
Developing Interoperable IoT ControlsDeveloping Interoperable IoT Controls
Developing Interoperable IoT ControlsAllSeen Alliance
 
Mobile Networks as Secure and Reliable Communication Platform for Smart Home
Mobile Networks as Secure and Reliable Communication Platform for Smart HomeMobile Networks as Secure and Reliable Communication Platform for Smart Home
Mobile Networks as Secure and Reliable Communication Platform for Smart HomeAllSeen Alliance
 
Designing For Interoperability in Mobile
Designing For Interoperability in MobileDesigning For Interoperability in Mobile
Designing For Interoperability in MobileAllSeen Alliance
 
IoT at the Edge - Gateway Services
IoT at the Edge - Gateway ServicesIoT at the Edge - Gateway Services
IoT at the Edge - Gateway ServicesAllSeen Alliance
 
“Seamless and Batteryless” Creating an Internet of Everything
“Seamless and Batteryless” Creating an Internet of Everything“Seamless and Batteryless” Creating an Internet of Everything
“Seamless and Batteryless” Creating an Internet of EverythingAllSeen Alliance
 
Creating an Internet of Everything
Creating an Internet of Everything Creating an Internet of Everything
Creating an Internet of Everything AllSeen Alliance
 
An Open Source Project for the IoT
An Open Source Project for the IoTAn Open Source Project for the IoT
An Open Source Project for the IoTAllSeen Alliance
 
My Scale Just Told the Cloud I'm Fat
My Scale Just Told the Cloud I'm FatMy Scale Just Told the Cloud I'm Fat
My Scale Just Told the Cloud I'm FatAllSeen Alliance
 
Building IoT Products: Developer Experiences
Building IoT Products: Developer ExperiencesBuilding IoT Products: Developer Experiences
Building IoT Products: Developer ExperiencesAllSeen Alliance
 

More from AllSeen Alliance (20)

Programming the Internet of Things: Why Devices Need APIs
Programming the Internet of Things: Why Devices Need APIsProgramming the Internet of Things: Why Devices Need APIs
Programming the Internet of Things: Why Devices Need APIs
 
Designing for Interoperability
Designing for InteroperabilityDesigning for Interoperability
Designing for Interoperability
 
Introduction to the AllJoyn Gateway Agent
Introduction to the AllJoyn Gateway Agent Introduction to the AllJoyn Gateway Agent
Introduction to the AllJoyn Gateway Agent
 
Building Universal Windows Apps with AllJoyn
Building Universal Windows Apps with AllJoynBuilding Universal Windows Apps with AllJoyn
Building Universal Windows Apps with AllJoyn
 
Internet of Everything Development Using AllJoyn
Internet of Everything Development Using AllJoynInternet of Everything Development Using AllJoyn
Internet of Everything Development Using AllJoyn
 
Wearables and IoT Strategy
Wearables and IoT StrategyWearables and IoT Strategy
Wearables and IoT Strategy
 
Mobile interoperability and business productivity
Mobile interoperability and business productivityMobile interoperability and business productivity
Mobile interoperability and business productivity
 
Standards and Interoperability: Creating a whole that is bigger than the sum ...
Standards and Interoperability: Creating a whole that is bigger than the sum ...Standards and Interoperability: Creating a whole that is bigger than the sum ...
Standards and Interoperability: Creating a whole that is bigger than the sum ...
 
Open Sourcing the User Experience for the IoT
Open Sourcing the User Experience for the IoTOpen Sourcing the User Experience for the IoT
Open Sourcing the User Experience for the IoT
 
Kalay Platform Enhancing Multimedia on AllJoyn Devices
Kalay Platform Enhancing Multimedia on AllJoyn DevicesKalay Platform Enhancing Multimedia on AllJoyn Devices
Kalay Platform Enhancing Multimedia on AllJoyn Devices
 
Developing Interoperable IoT Controls
Developing Interoperable IoT ControlsDeveloping Interoperable IoT Controls
Developing Interoperable IoT Controls
 
Mobile Networks as Secure and Reliable Communication Platform for Smart Home
Mobile Networks as Secure and Reliable Communication Platform for Smart HomeMobile Networks as Secure and Reliable Communication Platform for Smart Home
Mobile Networks as Secure and Reliable Communication Platform for Smart Home
 
Designing For Interoperability in Mobile
Designing For Interoperability in MobileDesigning For Interoperability in Mobile
Designing For Interoperability in Mobile
 
IoT at the Edge - Gateway Services
IoT at the Edge - Gateway ServicesIoT at the Edge - Gateway Services
IoT at the Edge - Gateway Services
 
The Social Home
The Social HomeThe Social Home
The Social Home
 
“Seamless and Batteryless” Creating an Internet of Everything
“Seamless and Batteryless” Creating an Internet of Everything“Seamless and Batteryless” Creating an Internet of Everything
“Seamless and Batteryless” Creating an Internet of Everything
 
Creating an Internet of Everything
Creating an Internet of Everything Creating an Internet of Everything
Creating an Internet of Everything
 
An Open Source Project for the IoT
An Open Source Project for the IoTAn Open Source Project for the IoT
An Open Source Project for the IoT
 
My Scale Just Told the Cloud I'm Fat
My Scale Just Told the Cloud I'm FatMy Scale Just Told the Cloud I'm Fat
My Scale Just Told the Cloud I'm Fat
 
Building IoT Products: Developer Experiences
Building IoT Products: Developer ExperiencesBuilding IoT Products: Developer Experiences
Building IoT Products: Developer Experiences
 

Recently uploaded

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Identity for IoT: An Authentication Framework for the IoT

  • 1. AN AUTHENTICATION FRAMEWORK FOR THE IOT John Bradley Copyright © 2014 Ping Identity Corp.All rights reserved. 1
  • 2. Premise Copyright © 2014 Ping Identity Corp.All rights reserved. 2 •  The full promise of the Internet of Things (IoT) can only be realized if the many and varied interactions between users, things, cloud services and applications can be authenticated. •  User delegated consent will be necessary for any scenario where potentially privacy sensitive data is collected and transferred (wearables, home automation, health, etc). •  OAuth 2.0 and OpenID Connect 1.0 are two authentication and authorization standards that promise to serve as important tools for the IoT’s authentication and authorization requirements
  • 3. Who are the actors Copyright © 2014 Ping Identity Corp.All rights reserved. 3 • Things/devices • Users • Applications • Clouds • Gateways
  • 4. Who are the actors Copyright © 2014 Ping Identity Corp.All rights reserved. 4 • Things/devices • Users • Applications • Clouds • Gateways All of which need to be authenticated
  • 5. Authentication & Authorization Model Copyright © 2014 Ping Identity Corp.All rights reserved. 5 •  IoT Actors authenticate by presenting security tokens on their calls/messages to each other •  Tokens represent relationship between the relevant user and the calling actor (and any consents/permissions associated with that relationship •  Upon receiving a message, an actor validates the token to verify the request is consistent with the relationship/permissions •  If consent is removed, token is revoked, and access disabled •  OAuth 2.0 & OpenID Connect 1.0 are two authentication & authorization frameworks that enable this model
  • 6. OAuth 2.0 Copyright © 2014 Ping Identity Corp.All rights reserved. 6 •  OAuth 2.0 is an IETF standard authentication & authorization framework for securing application access to RESTful APIs •  OAuth allows a Client (an application that desires information) to send an API query to a Resource Server (RS), the application hosting the desired information, such that the RS can authenticate that the message was indeed sent by the Client. •  The Client authenticates to the RS through the inclusion of an access token on its API call—a token previously provided to the Client by an Authorization Server (AS). •  In those scenarios that the API in question protects access to a User’s identity attributes, it may be the case that the access token will only be issued by the AS after the User has explicitly given consent to the Client accessing those attributes.
  • 7. OpenID Connect 1.0 Copyright © 2014 Ping Identity Corp.All rights reserved. 7 •  OpenID Connect 1.0 is an OIDF standard that profiles and extends OAuth 2.0 to add an identity layer—creating a single framework that promises to secure APIs, mobile native applications and browser applications in a single, cohesive architecture. •  OpenID Connect adds two notable identity constructs to OAuth’s token issuance model. –  An identity token—the delivery of which, from one party to another, can enable a federated SSO user experience for a user. –  A standardized identity attribute API—at which a client can retrieve the desired identity attributes for a given user. •  If your use case requires something more than authentication and authorization of API calls, Connect’s features that go beyond OAuth become relevant.
  • 8. Representative IoT architecture Copyright © 2014 Ping Identity Corp.All rights reserved. 8 • Fitbit makes Aria smart scale • Scale syncs through home Wifi to Fitbit cloud for display & analysis through web & native applications • 3rd party services can access weight data to provide additional insight
  • 9. Architecture requirements Copyright © 2014 Ping Identity Corp.All rights reserved. 9 • User weight data is personal and must be protected against compromise • Additionally, weight data must only be shared by Fitbit when consistent with user policy
  • 10. Architecture Copyright © 2014 Ping Identity Corp.All rights reserved. 10 FitBit Proprietary 3rd party services REST API REST API
  • 11. Architecture Copyright © 2014 Ping Identity Corp.All rights reserved. 11 FitBit Proprietary 3rd party services REST API REST API Lets examine how OAuth & Connect can apply here
  • 12. Cloud to cloud Copyright © 2014 Ping Identity Corp.All rights reserved. 12 •  TrendWeight offers additional insight & analysis of weight data •  Pulls scale data from Fitbit cloud REST endpoints •  TrendWeight should use OAuth to authenticate their API calls as being on behalf of particular user •  Because user is involved in token issuance, privacy enabling model
  • 13. Cloud to Cloud Copyright © 2014 Ping Identity Corp.All rights reserved. 13 Login & consent Weight data
  • 14. Revocation of authorization Copyright © 2014 Ping Identity Corp.All rights reserved. 14 User can remove permissions assigned 3rd parties
  • 15. Native Application Copyright © 2014 Ping Identity Corp.All rights reserved. 15 •  Users can view their weight data & trends from ioS & Android native applications •  Native applications pull data from Fitbit cloud REST endpoints •  Native applications should use OAuth to authenticate their API calls as being on behalf of particular user
  • 16. Device to gateway Copyright © 2014 Ping Identity Corp.All rights reserved. 16 •  Devices communicate with each other and the gateway via the local network— sharing data, sending control messages, etc. •  These local interactions may not use HTTP, but instead a application protocol more optimized to the constraints (CPU size, battery, etc.) of devices. •  Such application protocols include XMPP, MQTT and CoAP. •  Work has begun in exploring how to bind OAuth & Connect to such IoT optimized protocols, e.g.ACE effort in IETF
  • 17. Conclusion Copyright © 2014 Ping Identity Corp.All rights reserved. 17 • Authentication & authorization of actors is fundamental to IoT security • Mechanisms must be secure, scalable and privacy respecting • OAuth & Connect promise to provide important pieces of authn & authz framework for IoT