In the WoT Discovery specification, "security bootstrapping" requires that an unauthenticated request for a Thing Description is responded to in a certain way such that a Consumer knows how to authenticate in order to access the resource.
WebThings Gateway already responds with a 401 response if a valid JWT is not provided, which would be valid for the Bearer security scheme if a WWW-Authenticate header was also provided. Alternatively, if the OAuth2 scheme is used it should respond with a 302 or 303 response and implement the full OAuth2 flow.
Note that authenticating access to the Thing Description is technically different to authenticating access to the Thing's interaction affordances, which is what the security metadata inside the Thing Description is for. Currently WebThings Gateway uses the same security mechanism (JWT tokens) for both. It claims to use OAuth2 for interaction affordances, but that doesn't appear to be fully implemented.
benfrancis
commented
1 month ago
In the WoT Discovery specification, "security bootstrapping" requires that an unauthenticated request for a Thing Description is responded to in a certain way such that a Consumer knows how to authenticate in order to access the resource.
WebThings Gateway already responds with a
401response if a valid JWT is not provided, which would be valid for the Bearer security scheme if aWWW-Authenticateheader was also provided. Alternatively, if the OAuth2 scheme is used it should respond with a302or303response and implement the full OAuth2 flow.Note that authenticating access to the Thing Description is technically different to authenticating access to the Thing's interaction affordances, which is what the security metadata inside the Thing Description is for. Currently WebThings Gateway uses the same security mechanism (JWT tokens) for both. It claims to use OAuth2 for interaction affordances, but that doesn't appear to be fully implemented.