By: Abhinay B. user 23 Oct 2018 at 7:44 a.m. CDT

4 Responses
Abhinay B. gravatar
How can we use Gluu server to secure IoTs and devices? I've come across [this](https://www.gluu.org/resources/documents/articles/5-reasons-you-need-openid-connect-and-uma/) article that says we can use OpenID Connect and UMA as they are in 'alignment with OAuth 2.0 standards which is critical for mobile, IOT and Web security.' Is there a demo of such security for IoTs and devices?

By Aliaksandr Samuseu staff 23 Oct 2018 at 5:33 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Abhinay. One thin you need to keep in mind is that Gluu Server is mostly designed to interact with web applications. If your intention is to, for example, create a dedicated service handling authentication for your users and a central point of distributing your users' personal data, which then will be used by your devices (for example, their web UI will be sending users to your Gluu Server for authentication and will be using it as a source of their personal attributes) - you are on the right track. With UMA you could delegate the process of making auhtorization decision to Gluu as well. But in the end, it's your device which must be capable to interact with Gluu Server using one of the supported protocols, and then enforce some access policies based on the data received from it. This will be your part of the responsibility to implement or configure. We can't be aware of what kind of devices they are, or what kind of embeded software they use. There are a few packages which can be used to add OpenID Connect or UMA support for your app. Gluu offers one as well, called [oxd server](https://gluu.org/docs/oxd/3.1.3.1/) (it's a paid solution). It's hard to suggest something specific without knowing all the details.

By Abhinay B. user 25 Oct 2018 at 5:42 a.m. CDT

Abhinay B. gravatar
Thanks for the reply! The example that I have in mind doesn't involve a user (atleast, actively!). Suppose a mobile app needs to send periodic messages to a remote server. For the sake of security, I need the app to be authenticated each time. As this doesn't involve a user, the authentication can not be the username-password method. So, is there a way that the mobile device can interact with Gluu server for such an authentication?

By Abhinay B. user 29 Oct 2018 at 1:38 a.m. CDT

Abhinay B. gravatar
I have seen that you provide certificate based authentication which can be used in this situation of authenticating devices. Here is my understanding: 1. The device connects itself to the Gluu server through the restful APIs and provides its certificate as a parameter to the API end point. 2. The Gluu server verifies the certificate to authenticate the device. 3. The Gluu server redirects the device to the URL specified (as a parameter) on successful authentication. Is my understanding correct? How do I obtain such certificates in the first place? Is there a way provided in Gluu server to get them? May be at the time of registration?

By William Lowe staff 31 Oct 2018 at 10:15 a.m. CDT

William Lowe gravatar
Outside the scope of community support. We are here to answer specific technical questions related to gluu server operations and integrations, not provide high level architecture consulting.