Securing the Gateway to the IoTUsing OAuth, OpenID Connect & other modern security standards to protect devices By Travis Spencer, CEO @travisspencer, @2botech
Copyright © 2016 Twobo Technologies AB. All rights reserved
ü All API Conferences – next is October 25-26 ü API Community ü Active blogosphere
Organizers and founders
Copyright © 2016 Twobo Technologies AB. All rights reserved
Agenda
§ Architectural overview of app access to IOT devices§ OAuth 2 Fundamentals§ Building OpenID Connect on OAuth§ Additional resources
Copyright © 2016 Twobo Technologies AB. All rights reserved
What We All Want, Basically
Copyright © 2016 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Computer Programs Data
Connecting Apps to the IOT
§ Mobiles must use IOT protocols (ZigBee, Z-Wave, etc.) § Mass adoption requires abstractions § Abstractions already exist – HTTP & Web sockets
IOT DevicesApps
Copyright © 2016 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
IOT Gateway Mediates Protocols
HTTP & Web Socket APIs
ZigBee, Z-Wave, etc.
IOT Gateway API
Copyright © 2016 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Apps
IOT Devices
APIs Provide Security Enforcement Point
@travisspencer / @2botech
§ Secure access to IOT is the same as APIs on the WWW
§ Token-based approach § APIs are secured using:
§ OAuth 2 § OpenID Connect
Copyright © 2016 Twobo Technologies AB. All rights reserved
Apps
APIs
IOT Gateway
Authentication & Token Issuance are the Same as Non-IOT Use Cases
@travisspencer / @2botech Copyright © 2016 Twobo Technologies AB. All rights reserved
Apps
APIs
IOT Gateway
Authentication Service
Token Service
The Neo-security Stack
JSON Identity Suite
OpenID Connect
SCIM
OAuth 2
ALFA
Provisioning
Identities
Federation
Delegated Access
Authorization
U2F Authentication
@travisspencer / @2botech Copyright © 2016 Twobo Technologies AB. All rights reserved
§ OAuth 2 is the new protocol of protocols § Used as the base of other specifications § OpenID Connect, UMA, etc.
§ Addresses some important requirements § Delegated access § No password sharing § Revocation of access
Copyright © 2016 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
OAuth
1. Resource Owner (RO) 2. Client 3. Authorization Server (AS) 4. Resource Server (RS) (i.e., API)
Get
a to
ken
Delegate
RS (IOT APIs) Client
AS
RO
Use a token
Copyright © 2016 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
OAuth Actors
Request, Authenticate & Consent
Copyright © 2016 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The Client Requests Access
Copyright © 2016 Twobo TechnologiesAB. All rights reserved
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS) Client
@travisspencer / @2botech
The AS Requires the RO to Authenticate
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS) Client
@travisspencer / @2botech Copyright © 2016 Twobo Technologies AB. All rights reserved
The AS Issues the One-time Use Code
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS) Client
@travisspencer / @2botech Copyright © 2016 Twobo Technologies AB. All rights reserved
The Client Redeems the One-time Use Code
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS) Client
@travisspencer / @2botech Copyright © 2016 Twobo Technologies AB. All rights reserved
The AS Issues the Token
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS) Client
@travisspencer / @2botech Copyright © 2016 Twobo Technologies AB. All rights reserved
The Client Presents the Token to the RS
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS) Client
@travisspencer / @2botech Copyright © 2016 Twobo Technologies AB. All rights reserved
The RS Validates the Token
Resource Owner (RO)
Resource Server (RS) Client
Authorization Server (AS)
@travisspencer / @2botech Copyright © 2016 Twobo Technologies AB. All rights reserved
Access!
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS) Client
@travisspencer / @2botech Copyright © 2016 Twobo Technologies AB. All rights reserved
§ Like permissions § Scopes specify extent of tokens’ usefulness § Listed on consent UI (if shown) § No standardized scopes
@travisspencer / @2botech
Scopes
Copyright © 2016 Twobo Technologies AB. All rights reserved
Kinds of Tokens
Copyright © 2016 Twobo Technologies AB. All rights reserved
Access Tokens
Like a Session
Used to secure API calls
Refresh Tokens
Like a Password
Used to get new access tokens
@travisspencer / @2botech
Holder of Key
HoK tokens are like credit cards
Profiles of Tokens
Copyright © 2016 Twobo Technologies AB. All rights reserved
Bearer
Bearer tokens are like cash
$
@travisspencer / @2botech
Types of Tokens
§ WS-Security § SAML § Custom
§ Home-grown § Oracle Access Manager § SiteMinder
§ JWT
Copyright © 2016 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
JWT Tokens
§ Pronounced like the English word “jot” § Lightweight tokens passed in HTTP headers & query strings § Akin to SAML tokens
§ Less expressive § Less security options § More compact § Encoded w/ JSON not XML
Copyright © 2016 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Passing Tokens
Copyright © 2016 Twobo Technologies AB. All rights reserved
123XYZ
John Doe
By Value By Reference
@travisspencer / @2botech
@travisspencer / @2botech Copyright © 2016 Twobo Technologies AB. All rights reserved
Not for authentication
Not really for authorization
Not for federation
Improper Usage of OAuth
For delegated access (user-to-app delegation in particular)
Copyright © 2016 Twobo Technologies AB. All rights reserved
Proper Usage of OAuth
@travisspencer / @2botech
• Next generation federation protocol – Based on OAuth 2 – Made for mobile – Not backward compatible
• Client & API receive tokens • User info endpoint provided for
client to get user data
OpenID Connect
Copyright © 2016 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Get user info using access token
Copyright © 2016 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
OpenID Connect Example
OAuth AS / OpenID Provider RP / Client
Browser
Access code
Send code to get access token
Access token & ID token
Check audience restriction of ID token
Request login, providing “openid” scope & user info
scopes
User info
Additional Resources
§ Blog posts § bit.ly/oauth-deep-dive § bit.ly/4-api-security-defenses § bit.ly/building-secure-api § bit.ly/right-api-armor (out
Wednesday) § API keys post in a few weeks
Copyright © 2016 Twobo Technologies AB. All rights reserved
§ Videos § bit.ly/oauth-in-depth § bit.ly/micro-services-security § bit.ly/building-secure-api-video
§ Whitepaper in the back § API security e-book coming
soon
@travisspencer / @2botech
Summary
§ Abstracting devices behind an IOT gateway that exposes APIs
§ Securing APIs with OAuth and OpenID Connect§ OAuth 2 fundamentals
§ Token types§ Profiles§ Passing tokens
§ Building OpenID Connect on OAuthCopyright © 2016 Twobo Technologies AB. All rights reserved
Copyright © 2016 Twobo Technologies AB. All rights reserved
Thank you!