- From: Drasko DRASKOVIC <drasko.draskovic@gmail.com>
- Date: Mon, 8 Feb 2016 20:05:00 +0100
- To: Dave Raggett <dsr@w3.org>
- Cc: Tibor Pardi <tibor@zovolt.com>, Public Web of Things IG <public-wot-ig@w3.org>
On Mon, Feb 8, 2016 at 7:22 PM, Dave Raggett <dsr@w3.org> wrote: > Any thoughts on access control, a) for discovery and b) for accessing the > service ? > > We would want to provide a simple approach that is easy to configure. I do not know how Telehash solves this exactly, this is worth looking. Usual centralized approach is via api_key, i.e. secret token. Meshblu (https://github.com/octoblu/meshblu) for example uses simple device provisioning via POST on /devices route. For some reason I do not understand, they use both auth_uuid and auth_token (https://github.com/octoblu/meshblu/issues/116). Also it might be noted that I stumbled upon some weird SW patents that they filled: https://github.com/octoblu/meshblu/issues/117, which is kind of sad - because SW is MIT licensed. In Mainflux (https://github.com/Mainflux/mainflux) I use JWT, which is generated to hold device auth_id inside it: https://github.com/Mainflux/mainflux/blob/master/app/controllers/devices.js#L25. Server (based on Restify) protects all routes except /status and POST on devices (for provisioning) with this JWT: https://github.com/Mainflux/mainflux/blob/master/server.js#L34. I am looking now at Fiware (https://www.fiware.org/), but it uses pretty heavy OAuth2 authentication via proxies that protect accesses to various microservices... Dont know - if there will be notion of users on the server which can control only their's subset of devices maybe OAuth2 migh be the best solution... BR, Drasko
Received on Monday, 8 February 2016 19:05:29 UTC