One of the early and important question that you need to ask any IoT provider is- do you support OAuth2 as a native service? This post is exploring this aspect of IoT to highlight its’ importance.
Internet of Things is often looked upon as a piece of hardware to do a task. However, it is more useful to look at it as a service delivery point in a Saas model. In this context, there is merit in looking at OAuth2 as an identity management infrastructure in a heterogeneous vendor environment. This is a supplementary technology to SSO – as it is used by the micro service providers in the cloud.
Having a clear and secure architecture for identity management for the connected devices helps in their vertical integration and scalability. For instance, a Building Energy Management software should be able to access to all the light switches in a building from three different vendors. The process needs to be secure and widely adopted such that there is a uniform way to access the resources. While there are several home-grown methods of identity management, all of them create difficulty in a consistent access token management.
JSON Web Token (RFC 7519) has emerged as one of the most efficient ways for creating trust relationships for accessing the micro services. This, in the opinion of Tantiv4, is also the best way to partition the micro service classes when doing management in a large vertical like Building energy management application. Even in Smart Home context, this approach coupled with network partitioning with the IPv6 is the best approach to bring about the network and the application layer security. After all, you want to have different and more secure access management for your home monitoring system and smart locks, then say, compared to a smart switch. There is always that trade-off between security and convenience for every class of devices.
To sum up the case of OAuth2 for IoT-
*Easier Scaling with an independent identity management.
*Enables micro-service architecture for IoT in enterprise and consumer space
*Allows SSO integration
*Allow easier integration of the REST API for the Saas vendors
*Allows differentiated services for multiple use cases on the mobile devices