Hi! We are currently considering implementing Oauth for devices.
OAuth, first defined by RFC 5849 (1.0), and revised with RFC 6749 (2.0) specifies an authorization framework to allow third party applications to obtain limited access to HTTP services. From RFC 6749:
“In the traditional client-server authentication model, the client requests an access-restricted resource (protected resource) on the server by authenticating with the server using the resource owner`s credentials. In order to provide third-party applications access to restricted resources, the resource owner shares its credentials with the third party.”
Under this traditional approach, third parties are given direct access to the resource owner`s credentials. This brings with it several concerns, including passwords being stored in plaintext, third parties gaining overly-broad access to the resource owner`s resources, and the inability for resource owners to revoke third party privileges without having to change their password.
OAuth presents a way to solve these issues by having the third party application request access to resources controlled by a resource owner (which are hosted on a resource server). The application is then issued a different set of credentials than those of the resource owner which it can then in turn use to access the desired resources.
Do you need an OAuth client on your device or for your embedded application? If so, let us know at firstname.lastname@example.org.