search

w3c / wot-security

a repo exclusively for security to better manage issues and security considerations for WoT
https://w3c.github.io/wot-security/
18 stars 22 forks source link

Implementation of security support in node-wot #73

Open mkovatsc opened 6 years ago

mkovatsc commented 6 years ago

To get some progress, I want to quickly document how node-wot currently supports security mechanisms based on TD metadata.

When starting a runtime, commission it with its credentials:

this.addCredentials(this.config.credentials);

When initializing the client-implementation for a new ConsumedThing, configure it with the TD security metadata:

client.setSecurity(this.td.security);

Inside client implementation create a request that applies the available credentials to the required the security mechanism defined in the metadata (actually node-wot only does this once, not for every request):

  if (security.authorization === "Basic") {
    // configure for Basic Auth
  } else if (security.authorization==="Bearer") {
    // configure with Bearer token, maybe contact auth server to get one if not available
  } else if (security.authorization==="Proxy") {
    // configure request to go through a proxy
  }

TD security examples. Note that an identifier is needed for the Thing described. I used @id with a URN. I loosely based that on https://tools.ietf.org/html/draft-arkko-core-dev-urn-05:

    "@id": "urn:dev:wot:fujitsu-beacon",
    "security": {
        "authorization": "Bearer",
        "alg": "ES256",
        "as": "https://plugfest.thingweb.io:8443/"
    },
  "@id": "urn:dev:wot:festo",
  "security": {
    "authorization": "Proxy",
    "proxyAuthorization": "Basic",
    "href": "http://plugfest.thingweb.io:8087"
  },

Runtime configuration example. Note that the key in the credentials object ties it to the Thing's @id:

    "credentials": {
        "urn:dev:wot:fujitsu-beacon": {
            "token": "eyJhjGciUzI1NiJ7OiJF.eyJhdWQiOiJOaWNlUGx1Z2Zlc3RSUyIsInN1YiI6IjA2OTgyMWE4LTlmMwUxM2EwDYtNDJhYS1hYjkyLWQ0ZYTlkZSIIk5pY2VQbHsImlzcyI6VnZmVzdEFTIiwidHlwIjoib3JnOncz0ndvdDpqd3Q6YXM6bWluIiwianRpIjoiNjtZWY3Yy00NmRjYTU0OGMM2LWI3N2MtYWM2OTg4MzBjODIxIn0.TOMCAG-MUVuOJ4LVknfWbmXEQWgLOC2jyRDC-Z1kg6tKngpvflWxJLFMVRS7D9M2sFVOmR3gt00nwN7LZZMn5w"
        },
        "urn:dev:wot:smartspace-couch": {
            "asToken": "yI1NiTsInR5fCI3IkpXeyJhbGciOiJIUVCJ9.I6IjVhexJpZCMmU5ZWMxZMDAxMTNlZDWM3OWMwY0YSIsImlhdCI6MTUxMzE3MTEzMSwiZXhwIjoxNTEzMjU3NTMxfQ.sLjtWu-KSnAZOZN0PvGbF911Sfq5NeiNWYRqlKgx4v4"
        },
        "urn:dev:wot:festo": {
            "username": "user",
            "password": "secret123not"
        }
    }

P.S.: While checking the actual code now, I noticed a gap that might have been caused by merging with the Prague branch. Will work on that...

mmccool commented 6 years ago

We were wondering if we should "close" this issue... it's not really an issue, but documentation. Maybe it should be moved somewhere more permanent?