Use Managed Access (UMA) … Authorization for Internet of Things (IoT) /IoT & Identity

From IIW

Session Topic: Internet of Things and Identity and UMA

Tuesday 5J

Convener: Joe Andrieu, Eve Maler, Marcelo Da Cruz

Notes-taker(s): Joe Andrieu

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Internet of things & Identity

Nest - In home, data going to cloud PlayaLightz - Wearable social network blinkie Fuse - Car data wirelessly sent to personal cloud

Opportunities? Concerns? Solutions?

Do you need an identity? Not technically for isolated control you can do it with an authorization code.... but for all practical purposes, you'll need to share control and/or refer to a device in a conversation, and identity will get attached

Low power RF

Devices -> API -> Apps

       |             |

Where the API is in the cloud, at the service provider. Two boundaries: between on-premise and off, i.e., between the home and the cloud, and between the API provider and cloud apps.

For example, the NEST thermostat connects to the cloud, then the server exposes a restful API to apps

Today there is no way to control Nest locally. It requires access through the cloud. The capability to control locally is uncommon in consumer apps, but is common in the enterprise.

What we need is something, a registry, for apps to be able to reach back into the local resources.

What you want to do is to negotiate the ability to access the resource.

People / Devices / Cloud Services !!!?!?!?!?!?!

Eve Gave an UMA presentation Constrained environments ...

Connected dishwashers leak data... privacy concern. So we would like to authorize access...

What about smart medical thingies

And OMG, Solar Freaking' Roadways!!



The Refer use case: refrigerated shipping containers: ship needs to discover the container.

What about GPS leakage: walking the dog leaks GPS data about us.


ACE Authorization in Constrained Environments

Eve: Cannot solve IoT unless you simultaneously solve for both IoT and the Web.

The question is who owns that data, who is responsible, or uses that information. That's what makes is an identity problem.

Who has title? Who has what kinds of access?

How far can existing technologies meet our needs?

XACML... Extensible Access Control Markup Language... Scale - no discovery - no Privacy - 1/2 Flexible - no Partitioning - 1/2

OAuth 2.0 Scale - partial Discovery - partial Privacy - partial (consent good) Flexibility - yes Partitioning - partial


See presentation for more stuff

UMA is about interoperable RESTful authorization-as-a-service

UMA also allows asynchronous permissioning based on pre-arranged rules, in contrast with OAuth, which is really built for synchornous permissioning when Alice shares with Alice (sharing data between apps as the same individual). But then Alice shares with Bob, synchrony can't be assumed--and Alice isn't the active user on both services...

UMA covers the granting of entitlements (through scopes), asynchronously, because it isn't requiring the grantor to be online at the time of access request.

What's the experience like? Just like "sharing" a doc in Google apps.

Fuse needs to use OAuth to connect their MVNO account to their fuse account. But when that access token expires, how do you reacquire access when the user isn't there to get a popup?

So, if the car is getting towed after that token expires can prevent data tracking.


Challenge: Imagine these services without the cloud. IoT can be 100% local without service-based identifiers and communications.