23 October 2015

Device Authorization using OAuth2 and OpenAM

IoT and smart device style use cases, often require the need to authorize a device to act on behalf of a user.  A common example is things like smart TV's, home appliances or wearables, that are powerful enough to communicate over HTTPS, and will often access services and APIs on the end user's behalf.

How can that be done securely, without sharing credentials?  Well, OAuth2 can come to the rescue. Whilst not part of the ratified standard, many of the OAuth2 IETF drafts, describe how this could be acheived using what's known as the "Device Flow"  This flow leverages the same components of the other OAuth2 flows, with a few subtle differences.

Firstly, the device is generally not known to have a great UI, that can handle decent human interaction - such as logging in or authorizing a consent request.  So, the consenting aspect, needs to be handled on a different device, that does have standard UI capabilities.  The concept, is to have the device trigger a request, before passing the authorization process off to the end user on a different device - basically accessing a URL to "authorize and pair" the device.


From an OpenAM perspective, we create a standard OAuth2 (or OIDC) agent profile with the necessary client identifier and secret (or JWT config) with the necessary scope.  The device starts the process by send a POST request to /oauth2/device/code end point, with arguments such as the scope, client ID and nonce in the URL.  If the request is successful, the response is a JSON payload, with a verification URL, device_code and user_code payload.


The end user views the URL and code (or perhaps notified via email or app) and in a separate device, goes to the necessary URL to enter the code.


This triggers the standard OAuth2 consent screen - showing which scopes the device is trying to access.


Once approved, the end user dashboard in the OpenAM UI shows the authorization - which importantly can be revoked at any time by the end user to "detach" the device.


Once authorized, the device can then call the ../oauth2/device/token? endpoint with the necessary client credentials and device_code, to receive the access and refresh token payload - or OpenID Connect JWT token as well.



The device can then start accessing resources on the users behalf - until the user revokes the bearer token.

NB - this OAuth2 flow is only available in the nightly OpenAM 13.0 build.

DeviceEmulator code that tests the flows is available here.