Hello.
Current auth idea - IoTivity Cloud Interface and IoTivity Server (any device,
for example raspi without display) is based on oauth authorization code grant.
My question is how does it make sense?
We have four roles which in current implementaion looks like:
Resource Owner -> device
Resource Server -> github
Client -> IoTivity Cloud Interface (java app running in cloud)
Authorization Server -> github
[Description: Authorization Code Grant Flow]
To understand authorization code grant flow, client (iotivity cloud) should be
the one interested in authorization code + access token. It can get it when the
resource owner (device) provides it's credentials and client (iotivity cloud)
can use it for communication with resource server (?).
Actual state: the resource owner (device) needs the authorizatoin code and
access token to communicate with the client (iotivity cloud).
How does this make sense please ?
In my opinion, the resource server should be IoTivity, it hosts data of all
resources owners -> devices. Authorization server is not important, which one
is used, but this condition device == identity (user) must be met.
Each device should be the registered client + resource owner. For this the
client credentials grant flow is suited. Client can request token with client
secret or x509 cert.
What am I missing?
Thanks for explanation of actual approach.
Thanks
Ondrej
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.iotivity.org/pipermail/iotivity-dev/attachments/20170310/82c84b84/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 37821 bytes
Desc: image001.png
URL:
<http://lists.iotivity.org/pipermail/iotivity-dev/attachments/20170310/82c84b84/attachment.png>
