Pragmatic approach using OAuth mechanism for IoT device authorization in cloud

Abstract

To address the problem of authorization that enables a third-party service to access a resource server in a secured manner (a token based authorization without exposing user id and password), there has been research called OAuth framework. The OAuth framework gives permission for restricted access to a third party entity in a token based access control mechanism. This framework is widely used as a de-facto standard. The companies such as Google, Facebook, LinkedIn, and Microsoft are using the OAuth mechanism to enable third-party services to access their resources in a secured manner. However, the OAuth mechanism is operating on HTTP(HyperText Transfer Protocol) that assumes a server in the cloud, which adapts the OAuth mechanism, will primarily operates using HTTP. The de-facto standard protocol used by IoT(Internet of Things) devices is CoAP(Constrained Application Protocol) that is designed to be used by a simple, in other word limited, device. In the case of IoT cloud that interconnects IoT devices and related applications mainly use CoAP over TCP(Transmission Control Protocol). This paper describes the development of a pragmatic approach to authorize an application accessing IoT devices using CoAP and inter-working with already deployed HTTP based authorization servers using OAuth mechanism. The developed architecture using the proposed approach has been evaluated using the real-world device, i.e. Samsung air conditioner, with Samsung, Facebook and Github accounts. This work has become the open source IoT cloud reference implementation of OCF (Open Connectivity Foundation).