This is the ninth in a series of Arrayent blog posts on IoT security. The series is written for employees of companies who sell connected products, especially those new to IoT. With this series, we hope to bring a basic level of awareness and understanding of key issues that face everyone who develops connected consumer products. We also hope to stimulate an ongoing dialog that helps move the conversation about connected products security forward.
The Open Authorization (OAuth) user authentic-cation and authorization framework has become a popular and convenient way to secure access to IoT devices. The Arrayent platform employs OAuth 2.0, the most recent version of OAuth, to allow users to sign in to access their IoT devices using popular third-party accounts such as Amazon Alexa, Google Home, Nest, or Facebook. Essentially OAuth allows users to securely delegate access to their data without typing sharing a username and password with yet another third party.
HOW OAUTH 2 WORKS
OAuth 2 uses token-based authentication and authorization. When a user logs into their application, they are redirected to the authorization server where they then log in and give the app permission to access their data. The authorization server then returns permission to access user data. Their app then requests user data from the resource server, and it sends back the user data. The OAuth 2.0 specification defines several ways for a client to obtain ‘refresh’ and ‘access’ tokens, and a revocation mechanism that allows a client to invalidate its tokens if the end-user logs out, changes identity, or uninstalls the respective application. Because the access token has access to the authorized resources, it is important that it be kept secure. OAuth 2 mandates Transport Layer Security (TLS) to keep the communications channel secure. A token also must be managed throughout its lifecycle, which includes creating, storing, using, refreshing, and de-provisioning.
OAuth began as an Internet Engineering Task Force (IETF) standard for authorization that was first widely used for web services and has evolved with OAuth 2 in the IoT world. It provides what is called a “federated identity,” which is a means of linking a person’s electronic identity across multiple partner organizations providing authorized services for the specific user. Thus, it is a key to interoperability of devices through tokens. OAuth 2 is, in essence, a framework used for delegating access control and authorizations between services including web applications, desktop applications, mobile devices and other ecosystems.
ARRAYENT ECOADAPTOR API
The Arrayent EcoAdaptor v3 API supports cloud-to-cloud integration between Arrayent and other cloud services—e.g. Works With Nest, Amazon Alexa Voice Services, Google Assistant for Google Home, IFTTT, and more to come—by handling authentication, authorization, and functional entry points. The API covers an OAuth server along with access to users and devices.
EXAMPLE: WORKS WITH NEST
For example, Arrayent’s EcoAdaptor for the Nest Learning Thermostat provides connected product manufacturers the ability to link their product’s functionality with the end user’s Nest account. This allows the connected product manufacturer to access the thermostat’s ability to sense whether people are at home or if the house is empty. Arrayent represents a Nest user account as an Arrayent device associated to an Arrayent user account. The device representing the Nest user account is referred to as the Nest Virtual Device in the Arrayent ConnectCloud and uses the Nest Virtual Device data model.
Using Nest Access as the example, here’s how OAuth works: A token is used to represent the end user when accessing his or her data in the Nest cloud. The authorization is specific to a particular application so each OAuth token is not only Nest User-specific but also application-specific and should be used to identify and authorize access to the end user information in the Nest cloud. To create a Nest authorization token, the client application requires a Client ID and Client Secret.
FEDERATING AND DEFEDERATING A USER ACCOUNT
With Nest, it is a five step process to federate or defederate a user account:
A more detailed description can be found here.
WHAT DOES IT ALL MEAN?
By embracing the OAuth framework, Arrayent makes it simple for connected product manufacturers to create end user experiences that incorporate secure interoperability with third-party products. And we maintain that high level of security without requiring clunky security procedures for users that creates friction between them and the products they want to use. And isn’t making connected products better and easier to use what IoT should be all about?
For more info about Arrayent IoT Cloud Services or to download a brochure, click here.
Other Reading on OAuth 2:
“Everything You Wanted To Know About OAuth 2 But Were Too Afraid To Ask”
— Kassandra Perch, AuthO
“Why OAuth 2.0 Is Vital To IoT Security”
— Kristopher Sandoval, Nordic APIS
“OAuth Authentication Authorization For Mobile Applications”
— Paul Madsen, Cloud Security Alliance