AFaaS: Authorization framework as a service for Internet of Things based on interoperable OAuth

Internet of Things has become a fundamental paradigm in our everyday lives. However, standards and technologies are often designed without considering interoperability, which is a critical issue for Internet of Things. Internet of Things environment requires interoperability to share resources (e.g. data and services) between heterogeneous Internet of Things domains. The open authorization (OAuth) 2.0 framework that is actively used in Internet of Things (as well as in conventional web environments) also did not focus on interoperability. In other words, the systems that implement the same OAuth 2.0 standard cannot interoperate without additional support. For this reason, we propose an authorization framework as a service. Authorization framework as a service provides an additional authorization layer to support standard authorization capabilities as an interoperable secure wrapper between different domains. Besides, authorization framework as a service supports the four extended authorization grant flow types to issue an interoperable access token, which has a global access scope across multiple heterogeneous domains. With the authorization framework as a service, interoperability can be supported for heterogeneous domains, and token management can also be simple because an interoperable access token can represent several existing access tokens that have local access scopes. Furthermore, this article presents a feasible interoperability scenario, implementation, and security considerations for authorization framework as a service, focusing on Internet of Things platforms.