From a20e9793a02282f50a9cd9f1552e20018b19bf8c Mon Sep 17 00:00:00 2001
From: MahdaNoura IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: IRI: OAuth 2.0 authentication security configuration for systems conformant with [[!RFC6749]] and [[!RFC8252]], identified by the Vocabulary Term Terminology
InteractionAffordance
https://www.w3.org/2019/wot/td#InteractionAffordance
Super-class of td:ActionAffordance
td:EventAffordance
td:PropertyAffordance
In the domain of td:descriptionInLanguage
td:hasForm
td:hasUriTemplateSchema
td:name
td:titleInLanguage
tm:ref
In the range of td:hasInteractionAffordance
OperationType
https://www.w3.org/2019/wot/td#OperationType
PropertyAffordance
https://www.w3.org/2019/wot/td#PropertyAffordance
Sub-class of td:InteractionAffordance
In the domain of td:isObservable
In the range of td:hasPropertyAffordance
Thing
https://www.w3.org/2019/wot/td#Thing
In the domain of td:baseURI
td:definesSecurityScheme
td:descriptionInLanguage
td:followsProfile
td:hasForm
td:hasInteractionAffordance
td:hasSecurityConfiguration
td:instance
td:model
td:titleInLanguage
Object Properties
definesSecurityScheme
https://www.w3.org/2019/wot/td#definesSecurityScheme
Domain includes td:Thing
Thing
https://www.w3.org/2019/wot/td#Thing
In the domain of td:baseURI
td:definesSecurityScheme
td:descriptionInLanguage
td:followsProfile
td:hasForm
td:hasInteractionAffordance
td:hasSecurityConfiguration
td:titleInLanguage
Object Properties
definesSecurityScheme
https://www.w3.org/2019/wot/td#definesSecurityScheme
Domain includes td:Thing
hasActionAffordance
https://www.w3.org/2019/wot/td#hasActionAffordance
Range includes td:ActionAffordance
hasCancellationSchema
https://www.w3.org/2019/wot/td#hasCancellationSchema
Domain includes td:EventAffordance
hasConfigurationInstance
https://www.w3.org/2019/wot/td#hasConfigurationInstance
Domain includes wotsec:SecurityScheme
Terminology
description
https://www.w3.org/2019/wot/td#description
Domain includes tm:ThingModel
Range includes schema:Text
descriptionInLanguage
https://www.w3.org/2019/wot/td#descriptionInLanguage
Domain includes jsonschema:DataSchema
wotsec:SecurityScheme
td:InteractionAffordance
td:Thing
Range includes schema:Text
followsProfile
https://www.w3.org/2019/wot/td#followsProfile
Domain includes td:Thing
Range includes instance
https://www.w3.org/2019/wot/td#instance
Domain includes td:Thing
instance
https://www.w3.org/2019/wot/td#instance
Domain includes td:versionInfo
isIdempotent
https://www.w3.org/2019/wot/td#isIdempotent
Domain includes td:ActionAffordance
Range includes schema:Boolean
isObservable
https://www.w3.org/2019/wot/td#isObservable
observeproperty
and unobserveproperty
operations for this Property.Domain includes td:PropertyAffordance
Range includes schema:Boolean
isSafe
https://www.w3.org/2019/wot/td#isSafe
Domain includes td:ActionAffordance
Range includes schema:Boolean
isSynchronous
https://www.w3.org/2019/wot/td#isSynchronous
Domain includes td:ActionAffordance
Range includes schema:Boolean
model
https://www.w3.org/2019/wot/td#model
Domain includes td:Thing
model
https://www.w3.org/2019/wot/td#model
Domain includes td:versionInfo
name
https://www.w3.org/2019/wot/td#name
Domain includes td:InteractionAffordance
Range includes schema:Text
title
https://www.w3.org/2019/wot/td#title
Domain includes tm:ThingModel
Range includes schema:Text
titleInLanguage
https://www.w3.org/2019/wot/td#titleInLanguage
Domain includes jsonschema:DataSchema
td:InteractionAffordance
td:Thing
Range includes schema:Text
Annotation Properties
supportContact
https://www.w3.org/2019/wot/td#supportContact
Substantive Issues
Editorial Issues
+
+
domain
of classes model
and instance
has been changed to versionInfo
to match the TD specification. This change does not affect the WoT TD 1.1. HTML specification.
+ Terminology
Thing
https://www.w3.org/2019/wot/td#Thing
In the domain of td:baseURI
td:definesSecurityScheme
td:descriptionInLanguage
td:followsProfile
td:hasForm
td:hasInteractionAffordance
td:hasSecurityConfiguration
td:titleInLanguage
Object Properties
definesSecurityScheme
https://www.w3.org/2019/wot/td#definesSecurityScheme
Domain includes td:Thing
hasActionAffordance
https://www.w3.org/2019/wot/td#hasActionAffordance
Range includes td:ActionAffordance
hasCancellationSchema
https://www.w3.org/2019/wot/td#hasCancellationSchema
Domain includes td:EventAffordance
hasConfigurationInstance
https://www.w3.org/2019/wot/td#hasConfigurationInstance
Domain includes wotsec:SecurityScheme
hasEventAffordance
https://www.w3.org/2019/wot/td#hasEventAffordance
Range includes td:EventAffordance
hasForm
https://www.w3.org/2019/wot/td#hasForm
Domain includes td:InteractionAffordance
td:Thing
Range includes hctl:Form
hasInputSchema
https://www.w3.org/2019/wot/td#hasInputSchema
Domain includes td:ActionAffordance
hasInstanceConfiguration
https://www.w3.org/2019/wot/td#hasInstanceConfiguration
Domain includes wotsec:SecurityScheme
hasInteractionAffordance
https://www.w3.org/2019/wot/td#hasInteractionAffordance
Domain includes td:Thing
tm:ThingModel
Range includes td:InteractionAffordance
hasLink
https://www.w3.org/2019/wot/td#hasLink
Domain includes tm:ThingModel
Range includes hctl:Link
hasNotificationResponseSchema
https://www.w3.org/2019/wot/td#hasNotificationResponseSchema
Domain includes td:EventAffordance
Terminology
NoSecurityScheme
https://www.w3.org/2019/wot/security#NoSecurityScheme
nosec
(i.e., "scheme": "nosec"
), indicating there is no authentication or other mechanism required to access the resource.Sub-class of wotsec:SecurityScheme
OAuth2SecurityScheme
https://www.w3.org/2019/wot/security#OAuth2SecurityScheme
oauth2
(i.e., "scheme": "oauth2"
). For the code
flow both authorization
and token
MUST be included. For the client
flow token
MUST be included. For the client
flow authorization
MUST NOT be included. The mandatory elements for each flow are summarized in the following table:
Element code
client
authorization
mandatory omit token
mandatory mandatory refresh
optional optional
Sub-class of | wotsec:SecurityScheme |
In the domain of | wotsec:authorization wotsec:flow wotsec:refresh wotsec:scopes wotsec:token |
IRI: https://www.w3.org/2019/wot/security#PSKSecurityScheme
psk
(i.e., "scheme": "psk"
). This is meant to identify that a standard is used for pre-shared keys such as TLS-PSK [[rfc4279]], and that the ciphersuite used for keys will be established during protocol negotiation.Sub-class of | wotsec:SecurityScheme |
In the domain of | wotsec:identity |
IRI: https://www.w3.org/2019/wot/security#SecurityScheme
Metadata describing the configuration of a security mechanism. The value assigned to the name scheme
MUST be defined within a Vocabulary included in the Thing Description, either in the standard Vocabulary defined in § 5. TD Information Model or in a TD Context Extension.
For all security schemes, any keys, passwords, or other sensitive information directly providing access MUST NOT be stored in the TD and should instead be shared and stored out-of-band via other mechanisms. The purpose of a TD is to describe how to access a Thing if and only if a Consumer already has authorization, and is not meant be used to grant that authorization.
Each security scheme object used in a TD defines a set of requirements to be met before access can be granted. We say a security scheme is satisfied when all its requirements are met. In some cases requirements from multiple security schemes will have to be met before access can be granted.
Security schemes generally may require additional authentication parameters, such as a password or key. The location of this information is indicated by the value associated with the name in
, often in combination with the value associated with name
. The in
name can take one of the following values:
header
:name
.query
:name
.body
:name
. When used in the context of a body
security information location, the value of name
MUST be in the form of a JSON pointer [[!RFC6901]] relative to the root of the input DataSchema
for each interaction it is used with. Since this value is not a fragment identifier, and is not relative to the root of the TD but to whichever data schemas the security scheme is bound to, this value should not start with "#
"; it is a "pure" JSON pointer. Since this value is not a fragment identifier, it also does not need to URL-encode special characters. The targeted element may or may not already exist at the specified location in the referenced data schema. If it does not, it will be inserted. This avoids having to duplicate definitions in the data schemas of every interaction. When an element of a data schema indicated by a JSON pointer indicated in a body
locator does not already exist in the indicated schema, it MUST be possible to insert the indicated element at the location indicated by the pointer.. For example, pointing to a key of a Map where that key does not exist in the corresponding Data Schema, the key and its value, which is the credential, would be inserted to the Map at the specified location during the operation execution. On the other hand, pointing to an Array's item with a number as the item index, that number should be outside the range of the Array's already specified items in order to not alter the strict sequence of items. The JSON pointer used in the body
locator MAY use the "-
" character to indicate a non-existent array element when it is necessary to insert an element after the last element of an existing array. The element referenced (or created) by a body
security information location MUST be required and of type "string
". If name
is not given, it is assumed the entire body is to be used as the security parameter. cookie
:name
. uri
:name
. This is more general than the query
mechanism but more complex. The value uri
SHOULD be specified for in
in a security scheme only if query
is not applicable. The URIs provided in interactions where a security scheme using uri
MUST be a URI template including the defined variable.auto
:auto
is set for the in
field of a SecurityScheme
, then the name
field SHOULD NOT be set. In this case, the application of the SecurityScheme
is subject to the respective specification for the given protocol (e.g. [[!RFC8288]] when using the BasicSecurityScheme
with HTTP).combo
security scheme and allOf
. In some cases parameters may not actually be secret but a user may wish to leave them out of the TD to help protect privacy. As an example of this, some security mechanisms require both a client identifier and a secret key. In theory, the client identifier is public however it may be hard to update and pose a tracking risk. In such a case it can be provided as an additional security parameter so it does not appear in the TD.The names of URI variables declared in a SecurityScheme
MUST be distinct from all other URI variables declared in the TD.
IRI: https://www.w3.org/2019/wot/security#allOf
Domain includes | wotsec:ComboSecurityScheme |
IRI: https://www.w3.org/2019/wot/security#SecurityScheme
Metadata describing the configuration of a security mechanism. The value assigned to the name scheme
MUST be defined within a Vocabulary included in the Thing Description, either in the standard Vocabulary defined in § 5. TD Information Model or in a TD Context Extension.
For all security schemes, any keys, passwords, or other sensitive information directly providing access MUST NOT be stored in the TD and should instead be shared and stored out-of-band via other mechanisms. The purpose of a TD is to describe how to access a Thing if and only if a Consumer already has authorization, and is not meant be used to grant that authorization.
Each security scheme object used in a TD defines a set of requirements to be met before access can be granted. We say a security scheme is satisfied when all its requirements are met. In some cases requirements from multiple security schemes will have to be met before access can be granted.
Security schemes generally may require additional authentication parameters, such as a password or key. The location of this information is indicated by the value associated with the name in
, often in combination with the value associated with name
. The in
name can take one of the following values:
header
:name
.query
:name
.body
:name
. When used in the context of a body
security information location, the value of name
MUST be in the form of a JSON pointer [[!RFC6901]] relative to the root of the input DataSchema
for each interaction it is used with. Since this value is not a fragment identifier, and is not relative to the root of the TD but to whichever data schemas the security scheme is bound to, this value should not start with "#
"; it is a "pure" JSON pointer. Since this value is not a fragment identifier, it also does not need to URL-encode special characters. The targeted element may or may not already exist at the specified location in the referenced data schema. If it does not, it will be inserted. This avoids having to duplicate definitions in the data schemas of every interaction. When an element of a data schema indicated by a JSON pointer indicated in a body
locator does not already exist in the indicated schema, it MUST be possible to insert the indicated element at the location indicated by the pointer.. For example, pointing to a key of a Map where that key does not exist in the corresponding Data Schema, the key and its value, which is the credential, would be inserted to the Map at the specified location during the operation execution. On the other hand, pointing to an Array's item with a number as the item index, that number should be outside the range of the Array's already specified items in order to not alter the strict sequence of items. The JSON pointer used in the body
locator MAY use the "-
" character to indicate a non-existent array element when it is necessary to insert an element after the last element of an existing array. The element referenced (or created) by a body
security information location MUST be required and of type "string
". If name
is not given, it is assumed the entire body is to be used as the security parameter. cookie
:name
. uri
:name
. This is more general than the query
mechanism but more complex. The value uri
SHOULD be specified for in
in a security scheme only if query
is not applicable. The URIs provided in interactions where a security scheme using uri
MUST be a URI template including the defined variable.auto
:auto
is set for the in
field of a SecurityScheme
, then the name
field SHOULD NOT be set. In this case, the application of the SecurityScheme
is subject to the respective specification for the given protocol (e.g. [[!RFC8288]] when using the BasicSecurityScheme
with HTTP).combo
security scheme and allOf
. In some cases parameters may not actually be secret but a user may wish to leave them out of the TD to help protect privacy. As an example of this, some security mechanisms require both a client identifier and a secret key. In theory, the client identifier is public however it may be hard to update and pose a tracking risk. In such a case it can be provided as an additional security parameter so it does not appear in the TD.The names of URI variables declared in a SecurityScheme
MUST be distinct from all other URI variables declared in the TD.
IRI: https://www.w3.org/2019/wot/security#allOf
Domain includes | wotsec:ComboSecurityScheme |
IRI: https://www.w3.org/2019/wot/security#oneOf
Domain includes | wotsec:ComboSecurityScheme |
IRI: https://www.w3.org/2019/wot/security#refresh
Domain includes | wotsec:OAuth2SecurityScheme |
hasConfigurationInstance
has been changed to hasInstanceConfiguration
to match the JSON-LD context file. This change does not affect the WoT TD 1.1. HTML specification.
domain
of classes model
and instance
has been changed to versionInfo
to match the TD specification. This change does not affect the WoT TD 1.1. HTML specification.
- hasConfigurationInstance
has been changed to hasInstanceConfiguration
to match the JSON-LD context file. This change does not affect the WoT TD 1.1. HTML specification.
domain
of classes model
and instance
has been changed to
+ versionInfo
to match the TD specification. This change does not affect the WoT TD 1.1. HTML specification.
+