Review EdgeX Security Architecture and align with it

[mmccool]

As I would like to see WoT integrated with EdgeX, we should review the EdgeX security architecture to see if we are overlooking any requirements, e.g. OAuth2 parameters.

Documentation is here (for the "Fuji" release): https://fuji-docs.edgexfoundry.org/Ch-Security.html Some points I have gleaned so far:

• Uses Vault to manage secrets (including, I think, the certs to support https)
• Supports a secure reverse proxy (API Gateway, based on Kong) to protect access to microservice APIs, which uses https/TLS and JWT (in URLs, provided as a query parameter). Baking the JWT into the URL might require URI templates, etc. When the API gateway is active a firewall is turned on the on the gateway to block direct access to microservice API (including device APIs)
• The API gateway currently only supports the "client" flow; talking to EdgeX people about future support for the "device" flow
• The API gateway also supports an ACL
• I don't (yet) understand how scopes work, e.g. how they map onto the roles given in the ACL. I am talking to the EdgeX people about this.

[mmccool]

To do:

• look at the latest version of the spec
• do a write-up summary, similar to what I did for ITU-T