The Internet of Things (IoT) is being used for lots of personal data, but what little authentication and authorization is mainly being done using traditional centralized role-based approaches. This talk shows how we can use Federated identity and access management approaches such as OAuth2 with MQTT and CoAP to support IoT.
The Internet of Things and Machine to Machine are growing areas, and security and privacy are prime issues. In this session we will examine the security challenges around using M2M devices, with special reference to Authorization and Authentication. Much of the IoT is used for personal systems, and so there is a strong need for person-centred identity and access management. The OAuth2 protocol is gaining wide acceptance in the Web, and has been designed to support federated identity, personal delegation of access control and dynamic permissions.
We look at how we can use OAuth with MQTT and CoAP. We will use a combination of open source hardware (based on Arduino) and open source software (including Mosquitto and WSO2 Identity Server) to demonstrate
an Arduino based IoT device interacting with MQTT based systems using OAuth2 bearer tokens.
The session will cover:
- Challenges with IoT security
- Using OAuth2 to support federation and user-directed authorization
- Issues and areas for further work
- Future directions
The session will include a live demonstration of Arduino and Eclipse Paho interoperating secured by OAuth 2.0.