13 Securing IoT APIs

This chapter covers

Authenticating devices to APIs
Avoiding replay attacks in end-to-end device authentication
Authorizing things with the OAuth2 device grant
Performing local access control when a device is offline

In chapter 12, you learned how to secure communications between devices using Datagram TLS (DTLS) and end-to-end security. In this chapter, you’ll learn how to secure access to APIs in Internet of Things (IoT) environments, including APIs provided by the devices themselves and cloud APIs the devices connect to. In its rise to become the dominant API security technology, OAuth2 is also popular for IoT applications, so you’ll learn about recent adaptations of OAuth2 for constrained devices in section 13.3. Finally, we’ll look at how to manage access control decisions when a device may be disconnected from other services for prolonged periods of time in section 13.4.

13.1 Authenticating devices

13.1.1 Identifying devices

13.1.2 Device certificates

13.1.3 Authenticating at the transport layer

13.2 End-to-end authentication

13.2.1 OSCORE

13.2.2 Avoiding replay in REST APIs

13.3 OAuth2 for constrained environments

13.3.1 The device authorization grant

13.3.2 ACE-OAuth

13.4 Offline access control

13.4.1 Offline user authentication

13.4.2 Offline authorization

Answers to pop quiz questions

Summary