WebThingsIO / api

Web Thing API Specification
http://iot.mozilla.org/wot/
Other
164 stars 24 forks source link

Add a "Security Considerations" section #14

Open benfrancis opened 7 years ago

benfrancis commented 7 years ago

Note: Try to keep security metadata in HTTP headers rather than the Thing Description itself.

benfrancis commented 7 years ago

Consider recommending OAuth 2.0 for authorizing API requests

skyred commented 6 years ago

OAuth2 has a concept of "consumer", I am interested in learning how "Thing" is related to "Consumer".

benfrancis commented 6 years ago

@hobinjk Are you interested in starting a Security Considerations section by providing examples of how OAuth can be used to authorise different levels of access to Things?

I think the security section can largely be advisory and explain that because the Web of Things is built on the web, we can re-use lots of existing security implementations. Then make recommendations about things like SSL and OAuth.

There are also some people at the W3C arguing for an explicit "security" member of the Thing Description which provides security metadata like where an OAuth token can be fetched from. I'm not sure whether or not this should live in the Thing Description but we could also discuss adding that in this issue or a separate issue.