Open benfrancis opened 7 years ago
Consider recommending OAuth 2.0 for authorizing API requests
OAuth2 has a concept of "consumer", I am interested in learning how "Thing" is related to "Consumer".
@hobinjk Are you interested in starting a Security Considerations section by providing examples of how OAuth can be used to authorise different levels of access to Things?
I think the security section can largely be advisory and explain that because the Web of Things is built on the web, we can re-use lots of existing security implementations. Then make recommendations about things like SSL and OAuth.
There are also some people at the W3C arguing for an explicit "security" member of the Thing Description which provides security metadata like where an OAuth token can be fetched from. I'm not sure whether or not this should live in the Thing Description but we could also discuss adding that in this issue or a separate issue.
Note: Try to keep security metadata in HTTP headers rather than the Thing Description itself.