namestringAPIKeySecuritySchemeAPI key authentication security configuration identified by the Vocabulary Term apikey (i.e., "scheme": "apikey"). This is for the case where the access token is opaque and is not using a standard token format.
| Vocabulary term | Description | Assignment | Type |
|---|---|---|---|
in | Specifies the location of security authentication information. | with default | string (one of header, query, body, or cookie) |
name | Name for query, header, or cookie parameters. | optional | string |
BearerSecuritySchemeBearer Token [[!RFC6750]] security configuration identified by the Vocabulary Term bearer (i.e., "scheme": "bearer") for situations where bearer tokens are used independently of OAuth2. If the oauth2 scheme is specified it is not generally necessary to specify this scheme as well as it is implied. For format, the value jwt indicates conformance with [[!RFC7519]], jws indicates conformance with [[!RFC7797]], cwt indicates conformance with [[!RFC8392]], and jwe indicates conformance with [[!RFC7516]], with values for alg interpreted consistently with those standards. Other formats and algorithms for bearer tokens MAY be specified in vocabulary extensions.
| Vocabulary term | Description | Assignment | Type |
|---|---|---|---|
authorization | URI of the authorization server. | optional | anyURI |
| Vocabulary term | Description | Assignment | Type |
|---|---|---|---|
authorization | URI of the authorization server. | optional | anyURI |
alg | Encoding, encryption, or digest algorithm. | with default | string (e.g., MD5, ES256, or ES512-256) |
format | Specifies format of security authentication information. | with default | string (e.g., jwt, cwt, jwe, or jws) |
in | Specifies the location of security authentication information. | with default | string (one of header, query, body, or cookie) |
name | Name for query, header, or cookie parameters. | optional | string |
PSKSecuritySchemePre-shared key authentication security configuration identified by the Vocabulary Term psk (i.e., "scheme": "psk").
| Vocabulary term | Description | Assignment | Type |
|---|---|---|---|
identity | Identifier providing information which can be used for selection or confirmation. | optional | string |
OAuth2SecuritySchemeOAuth2 authentication security configuration for systems conformant with [[!RFC6749]] and [[!RFC8252]], identified by the Vocabulary Term oauth2 (i.e., "scheme": "oauth2"). For the code flow both authorization and token MUST be included. If no scopes are defined in the SecurityScheme then they are considered to be empty.
| Vocabulary term | Description | Assignment | Type |
|---|---|---|---|
authorization | URI of the authorization server. | optional | anyURI |
| Element | code | client | device |
|---|---|---|---|
authorization | mandatory | omit | mandatory; refers to device authorization endpoint |
token | mandatory | mandatory | mandatory |
refresh | optional | optional | optional |
+Note that the table below lists these elements as "optional". In fact whether they are mandatory or not depends on the flow.
+The token element is listed as optional even though it is mandatory for all predefined flows since it might
+not be mandatory for some flows defined in an extension. We should investigate whether there is a better way to express these
+"variant record" constraints.
+
If multiple flows are available (for example, multiple OAuth 2.0 security schemes with different flows are given for a Form) then only
+one may be selected for use by a Consumer.
+If an OAuth 2.0 flow other than code, client or device needs to be specified an extension vocabulary MUST be used.
+This includes the password and implicit flows, which are no longer considered best practice [[WOT-SECURITY-GUIDELINES]].
+This also applies to flows that are similar at the protocol level but do
+not exactly follow the OAuth 2.0 specification,
+for example by automating grants rather than invoking a user agent to interact with a human resource owner.
+If no scopes are defined in the SecurityScheme then they are considered to be empty.
The device authorization endpoint technically uses a different protocol than the authorization endpoint used by other flows,
+and it might be possible for a developer to confuse the two.
+However, since the device flow does not use the regular authorization endpoint there should be no ambiguity.
+We are considering however an alternative design where there is a separate element,
+device_authorization,
+which MUST be included for the device flow (and then the regular authorization endpoint then MUST NOT be used).
+
| Vocabulary term | Description | Assignment | Type |
|---|---|---|---|
authorization | URI of the authorization server.
+In the case of the device flow, the URI provided for the authorization value refers to the device authorization endpoint [[!RFC8628]].
+ | optional | anyURI |
token | URI of the token server. | optional | anyURI |
refresh | URI of the refresh server. | optional | anyURI |
scopes | Set of authorization scope identifiers provided as an array. These are provided in tokens returned by an authorization server and associated with forms in order to identify what resources a client may access and how. The values associated with a form should be chosen from those defined in an OAuth2SecurityScheme active on that form. | optional | string or Array of string |
flow | Authorization flow. | mandatory | string (e.g., code) |
flowstring (e.g., code, client, or device)securityDefinitions and security- As another more complex example, OAuth2 makes use of scopes. + As another more complex example, OAuth 2.0 makes use of scopes. These are identifiers that may appear in tokens and must match with corresponding identifiers in a resource to allow access to that resource (or Interaction Affordance in the case of W3C WoT). diff --git a/index.template.html b/index.template.html index 8687c1527..1767f3f78 100644 --- a/index.template.html +++ b/index.template.html @@ -1308,17 +1308,56 @@
namestringAPIKeySecuritySchemeAPI key authentication security configuration identified by the Vocabulary Term apikey (i.e., "scheme": "apikey"). This is for the case where the access token is opaque and is not using a standard token format.
| Vocabulary term | Description | Assignment | Type |
|---|---|---|---|
in | Specifies the location of security authentication information. | with default | string (one of header, query, body, or cookie) |
name | Name for query, header, or cookie parameters. | optional | string |
BearerSecuritySchemeBearer Token [[!RFC6750]] security configuration identified by the Vocabulary Term bearer (i.e., "scheme": "bearer") for situations where bearer tokens are used independently of OAuth2. If the oauth2 scheme is specified it is not generally necessary to specify this scheme as well as it is implied. For format, the value jwt indicates conformance with [[!RFC7519]], jws indicates conformance with [[!RFC7797]], cwt indicates conformance with [[!RFC8392]], and jwe indicates conformance with [[!RFC7516]], with values for alg interpreted consistently with those standards. Other formats and algorithms for bearer tokens MAY be specified in vocabulary extensions.
| Vocabulary term | Description | Assignment | Type |
|---|---|---|---|
authorization | URI of the authorization server. | optional | anyURI |
| Vocabulary term | Description | Assignment | Type |
|---|---|---|---|
authorization | URI of the authorization server. | optional | anyURI |
alg | Encoding, encryption, or digest algorithm. | with default | string (e.g., MD5, ES256, or ES512-256) |
format | Specifies format of security authentication information. | with default | string (e.g., jwt, cwt, jwe, or jws) |
in | Specifies the location of security authentication information. | with default | string (one of header, query, body, or cookie) |
name | Name for query, header, or cookie parameters. | optional | string |
PSKSecuritySchemePre-shared key authentication security configuration identified by the Vocabulary Term psk (i.e., "scheme": "psk").
| Vocabulary term | Description | Assignment | Type |
|---|---|---|---|
identity | Identifier providing information which can be used for selection or confirmation. | optional | string |
OAuth2SecuritySchemeOAuth2 authentication security configuration for systems conformant with [[!RFC6749]] and [[!RFC8252]], identified by the Vocabulary Term oauth2 (i.e., "scheme": "oauth2"). For the code flow both authorization and token MUST be included. If no scopes are defined in the SecurityScheme then they are considered to be empty.
| Vocabulary term | Description | Assignment | Type |
|---|---|---|---|
authorization | URI of the authorization server. | optional | anyURI |
| Element | code | client | device |
|---|---|---|---|
authorization | mandatory | omit | mandatory; refers to device authorization endpoint |
token | mandatory | mandatory | mandatory |
refresh | optional | optional | optional |
+Note that the table below lists these elements as "optional". In fact whether they are mandatory or not depends on the flow.
+The token element is listed as optional even though it is mandatory for all predefined flows since it might
+not be mandatory for some flows defined in an extension. We should investigate whether there is a better way to express these
+"variant record" constraints.
+
If multiple flows are available (for example, multiple OAuth 2.0 security schemes with different flows are given for a Form) then only
+one may be selected for use by a Consumer.
+If an OAuth 2.0 flow other than code, client or device needs to be specified an extension vocabulary MUST be used.
+This includes the password and implicit flows, which are no longer considered best practice [[WOT-SECURITY-GUIDELINES]].
+This also applies to flows that are similar at the protocol level but do
+not exactly follow the OAuth 2.0 specification,
+for example by automating grants rather than invoking a user agent to interact with a human resource owner.
+If no scopes are defined in the SecurityScheme then they are considered to be empty.
The device authorization endpoint technically uses a different protocol than the authorization endpoint used by other flows,
+and it might be possible for a developer to confuse the two.
+However, since the device flow does not use the regular authorization endpoint there should be no ambiguity.
+We are considering however an alternative design where there is a separate element,
+device_authorization,
+which MUST be included for the device flow (and then the regular authorization endpoint then MUST NOT be used).
+
| Vocabulary term | Description | Assignment | Type |
|---|---|---|---|
authorization | URI of the authorization server.
+In the case of the device flow, the URI provided for the authorization value refers to the device authorization endpoint [[!RFC8628]].
+ | optional | anyURI |
token | URI of the token server. | optional | anyURI |
refresh | URI of the refresh server. | optional | anyURI |
scopes | Set of authorization scope identifiers provided as an array. These are provided in tokens returned by an authorization server and associated with forms in order to identify what resources a client may access and how. The values associated with a form should be chosen from those defined in an OAuth2SecurityScheme active on that form. | optional | string or Array of string |
flow | Authorization flow. | mandatory | string (e.g., code) |
flowstring (e.g., code, client, or device)securityDefinitions and security
- As another more complex example, OAuth2 makes use of scopes.
+ As another more complex example, OAuth 2.0 makes use of scopes.
These are identifiers that
may appear in tokens and must match with corresponding identifiers in a resource to allow
access to that resource (or Interaction Affordance in the case of W3C WoT).
diff --git a/ontology/wot-security.ttl b/ontology/wot-security.ttl
index 2bfd41277..4eb66bc86 100644
--- a/ontology/wot-security.ttl
+++ b/ontology/wot-security.ttl
@@ -114,7 +114,7 @@
:OAuth2SecurityScheme rdf:type rdfs:Class, owl:Class ;
rdfs:label "OAuth2SecurityScheme" ;
rdfs:subClassOf :SecurityScheme ;
- rdfs:comment "OAuth2 authentication security configuration for systems conformant with !RFC6749 and !RFC8252, identified by the term oauth2 (i.e., \"scheme\": \"oauth2\"). For the implicit flow authorization MUST be included. For the password and client flows token MUST be included. For the code flow both authorization and token MUST be included. If no scopes are defined in the SecurityScheme then they are considered to be empty."@en .
+ rdfs:comment "
OAuth 2.0 authentication security configuration for systems conformant with [[!RFC6749]], [[!RFC8252]] and (for the device flow) [[!RFC8628]], identified by the Vocabulary Term oauth2 (i.e., "scheme": "oauth2"). For the code flow both authorization and token MUST be included. For the client flow token MUST be included. For the client flow authorization MUST NOT be included. For the device flow both authorization and token MUST be included. In the case of the device flow the value provided for authorization refers to the device authorization endpoint defined in [[!RFC8628]]. The mandatory elements for each flow are summarized in the following table:
| Element | code | client | device |
|---|---|---|---|
authorization | mandatory | omit | mandatory; refers to device authorization endpoint |
token | mandatory | mandatory | mandatory |
refresh | optional | optional | optional |
Note that the table below lists these elements as "optional". In fact whether they are mandatory or not depends on the flow. The token element is listed as optional even though it is mandatory for all predefined flows since it might not be mandatory for some flows defined in an extension. We should investigate whether there is a better way to express these "variant record" constraints.
If multiple flows are available (for example, multiple OAuth 2.0 security schemes with different flows are given for a Form) then only one may be selected for use by a Consumer. If an OAuth 2.0 flow other than code, client or device needs to be specified an extension vocabulary MUST be used. This includes the password and implicit flows, which are no longer considered best practice [[WOT-SECURITY-GUIDELINES]]. This also applies to flows that are similar at the protocol level but do not exactly follow the OAuth 2.0 specification, for example by automating grants rather than invoking a user agent to interact with a human resource owner. If no scopes are defined in the SecurityScheme then they are considered to be empty.
The device authorization endpoint technically uses a different protocol than the authorization endpoint used by other flows, and it might be possible for a developer to confuse the two. However, since the device flow does not use the regular authorization endpoint there should be no ambiguity. We are considering however an alternative design where there is a separate element, device_authorization, which MUST be included for the device flow (and then the regular authorization endpoint then MUST NOT be used).
IRI: https://www.w3.org/2019/wot/security#CertSecurityScheme
cert (i.e., "scheme": "cert").| Sub-class of | wotsec:SecurityScheme |
| In the domain of | wotsec:identity |
IRI: https://www.w3.org/2019/wot/security#DigestSecurityScheme
digest (i.e., "scheme": "digest"). This scheme is similar to basic authentication but with added features to avoid man-in-the-middle attacks.| Sub-class of | wotsec:SecurityScheme |
| In the domain of | wotsec:inwotsec:namewotsec:qop |
IRI: https://www.w3.org/2019/wot/security#NoSecurityScheme
nosec (i.e., "scheme": "nosec"), indicating there is no authentication or other mechanism required to access the resource.| Sub-class of | wotsec:SecurityScheme |
IRI: https://www.w3.org/2019/wot/security#OAuth2SecurityScheme
oauth2 (i.e., "scheme": "oauth2"). For the implicit flow authorization MUST be included. For the password and client flows token MUST be included. For the code flow both authorization and token MUST be included. If no scopes are defined in the SecurityScheme then they are considered to be empty.| Sub-class of | wotsec:SecurityScheme |
| In the domain of | wotsec:authorizationwotsec:flowwotsec:refreshwotsec:scopeswotsec:token |
IRI: https://www.w3.org/2019/wot/security#OAuth2SecurityScheme
device flow) [[!RFC8628]], identified by the Vocabulary Term oauth2 (i.e., "scheme": "oauth2"). For the code flow both authorization and token MUST be included. For the client flow both authorization and token MUST be included. For the device flow both authorization and token MUST be included. If an OAuth 2.0 flow other than code, client or device needs to be specified an extension vocabulary MUST be used. This includes the password and implicit flows, which are no longer considered best practice. This also applies to flows that are similar at the protocol level but do not exactly follow the OAuth 2.0 specification, for example by automating grants rather than invoking a user agent to interact with a human resource owner. If no scopes are defined in the SecurityScheme then they are considered to be empty.| Sub-class of | wotsec:SecurityScheme |
| In the domain of | wotsec:authorizationwotsec:flowwotsec:refreshwotsec:scopeswotsec:token |
IRI: https://www.w3.org/2019/wot/security#PSKSecurityScheme
psk (i.e., "scheme": "psk").| Sub-class of | wotsec:SecurityScheme |
| In the domain of | wotsec:identity |
IRI: https://www.w3.org/2019/wot/security#PoPSecurityScheme
pop (i.e., "scheme": "pop"). Here jwt indicates conformance with !RFC7519, jws indicates conformance with !RFC7797, cwt indicates conformance with !RFC8392, and jwe indicates conformance with RFC7516, with values for alg interpreted consistently with those standards. Other formats and algorithms for PoP tokens MAY be specified in vocabulary extensions.| Sub-class of | wotsec:SecurityScheme |
| In the domain of | wotsec:algwotsec:authorizationwotsec:formatwotsec:inwotsec:name |
IRI: https://www.w3.org/2019/wot/security#PublicSecurityScheme
public (i.e., "scheme": "public").| Sub-class of | wotsec:SecurityScheme |
| In the domain of | wotsec:identity |