Explaining IoT the scenario bit more in detail. We support OAuth 2.0 as one way to authorise devices connecting to IoT Server. (There can be many more mechanisms. Mutual Auth.. etc.. OAuth2 is something we support OOB).
When doing so, extender of IoT Server has two options to obtain tokens. -#1 Have OAuth2 client application per device instance -#2 Or have it per device type While #1 offer more control, its resource intensive on server side. #1 can also be a challenge on constrained devices. #2 is more suitable when devices are not so remotely distributed. #2 can also possess bigger security risks if agent code running inside device is freely accessible to untrusted parties. So as a vendor of an IoT platform, the more tweaking control we provide for implementors to choose their expiry time and application scope the better. @Sanjeewa >From an implementation PoV, 1. We store the token expiry time when DCR request comes in (so that all tokens created for that application will carry a <= expiry value) 2. In token issuer, we get the application id, fetch expiry time and issue the token (if token creation request has expiry time we also honour that) 3. Validator logic would not have any change AFAIC. On Fri, Apr 21, 2017 at 1:00 PM, Asela Pathberiya <[email protected]> wrote: > Hi IS/APIM team, > > Is $subject in our roadmap ? This seems to be a required features. > Different applications may need the different user token expiry time based > on their security level. > > Just heard that; IOT server may has already requirement with that; It is > needed to define a token expiry level based on their device type. Say; > some device's token may be embedded & these token may have longer expiry > time (never expired). Also; some devices type need a less expiry time > based on their security policies. It is not sure how we are handled this > with APIM feature without $subject. But; this can be easily handled, if > we can have such feature inbuilt. > > Thanks, > Asela > > > -- > Thanks & Regards, > Asela > > ATL > Mobile : +94 777 625 933 <+94%2077%20762%205933> > +358 449 228 979 > > http://soasecurity.org/ > http://xacmlinfo.org/ > -- /sumedha
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
