This is required.

Validation of the document by the Working Group is expected by the end of June 2019.

Introduction

Axiomatization

Classes

APIKeySecurityScheme

IRI: https://www.w3.org/2019/wot/security#APIKeySecurityScheme

API key authentication security configuration identified by the term apikey (i.e., "scheme": "apikey"). This is for the case where the access token is opaque and is not using a standard token format.
Sub-class ofwotsec:SecurityScheme
In the domain ofwotsec:in
wotsec:name

BasicSecurityScheme

IRI: https://www.w3.org/2019/wot/security#BasicSecurityScheme

Basic authentication security configuration identified by the term basic (i.e., "scheme": "basic"), using an unencrypted username and password. This scheme should be used with some other security mechanism providing confidentiality, for example, TLS.
Sub-class ofwotsec:SecurityScheme
In the domain ofwotsec:in
wotsec:name

BearerSecurityScheme

IRI: https://www.w3.org/2019/wot/security#BearerSecurityScheme

Bearer token authentication security configuration identified by the term bearer (i.e., "scheme": "bearer"). This scheme is intended for situations where bearer tokens are used independently of OAuth2. If the oauth2 scheme is specified it is not generally necessary to specify this scheme as well as it is implied. For format, the value jwt indicates conformance with RFC7519, jws indicates conformance with RFC7797, cwt indicates conformance with RFC8392, and jwe indicates conformance with !RFC7516, with values for alg interpreted consistently with those standards. Other formats and algorithms for bearer tokens MAY be specified in vocabulary extensions.
Sub-class ofwotsec:SecurityScheme
In the domain ofwotsec:alg
wotsec:authorization
wotsec:format
wotsec:in
wotsec:name

CertSecurityScheme

IRI: https://www.w3.org/2019/wot/security#CertSecurityScheme

Certificate-based asymmetric key security configuration conformant with X509V3 identified by the term cert (i.e., "scheme": "cert").
Sub-class ofwotsec:SecurityScheme
In the domain ofwotsec:identity

DigestSecurityScheme

IRI: https://www.w3.org/2019/wot/security#DigestSecurityScheme

Digest authentication security configuration identified by the term digest (i.e., "scheme": "digest"). This scheme is similar to basic authentication but with added features to avoid man-in-the-middle attacks.
Sub-class ofwotsec:SecurityScheme
In the domain ofwotsec:in
wotsec:name
wotsec:qop

NoSecurityScheme

IRI: https://www.w3.org/2019/wot/security#NoSecurityScheme

A security configuration corresponding to identified by the term nosec (i.e., "scheme": "nosec"), indicating there is no authentication or other mechanism required to access the resource.
Sub-class ofwotsec:SecurityScheme

OAuth2SecurityScheme

IRI: https://www.w3.org/2019/wot/security#OAuth2SecurityScheme

OAuth2 authentication security configuration for systems conformant with !RFC6749 and !RFC8252, identified by the term oauth2 (i.e., "scheme": "oauth2"). For the implicit flow authorization MUST be included. For the password and client flows token MUST be included. For the code flow both authorization and token MUST be included. If no scopes are defined in the SecurityScheme then they are considered to be empty.
Sub-class ofwotsec:SecurityScheme
In the domain ofwotsec:authorization
wotsec:flow
wotsec:refresh
wotsec:scopes
wotsec:token

PSKSecurityScheme

IRI: https://www.w3.org/2019/wot/security#PSKSecurityScheme

Pre-shared key authentication security configuration identified by the term psk (i.e., "scheme": "psk").
Sub-class ofwotsec:SecurityScheme
In the domain ofwotsec:identity

PoPSecurityScheme

IRI: https://www.w3.org/2019/wot/security#PoPSecurityScheme

Proof-of-possession (PoP) token authentication security configuration identified by the term pop (i.e., "scheme": "pop"). Here jwt indicates conformance with !RFC7519, jws indicates conformance with !RFC7797, cwt indicates conformance with !RFC8392, and jwe indicates conformance with RFC7516, with values for alg interpreted consistently with those standards. Other formats and algorithms for PoP tokens MAY be specified in vocabulary extensions.
Sub-class ofwotsec:SecurityScheme
In the domain ofwotsec:alg
wotsec:authorization
wotsec:format
wotsec:in
wotsec:name

PublicSecurityScheme

IRI: https://www.w3.org/2019/wot/security#PublicSecurityScheme

Raw public key asymmetric key security configuration identified by the term public (i.e., "scheme": "public").
Sub-class ofwotsec:SecurityScheme
In the domain ofwotsec:identity

SecurityScheme

IRI: https://www.w3.org/2019/wot/security#SecurityScheme

Metadata describing the configuration of a security mechanism. The value assigned to the name scheme MUST be defined within a vocabulary included in the Thing Description, either in the present vocabulary or in a TD context extension.
Super-class ofwotsec:APIKeySecurityScheme
wotsec:BasicSecurityScheme
wotsec:BearerSecurityScheme
wotsec:CertSecurityScheme
wotsec:DigestSecurityScheme
wotsec:NoSecurityScheme
wotsec:OAuth2SecurityScheme
wotsec:PSKSecurityScheme
wotsec:PoPSecurityScheme
wotsec:PublicSecurityScheme
In the domain ofwotsec:proxy

Object Properties

authorization

IRI: https://www.w3.org/2019/wot/security#authorization

URI of the authorization server.
Domain includeswotsec:BearerSecurityScheme
wotsec:OAuth2SecurityScheme
wotsec:PoPSecurityScheme

proxy

IRI: https://www.w3.org/2019/wot/security#proxy

URI of the proxy server this security configuration provides access to. If not given, the corresponding security configuration is for the endpoint.
This feature is at risk.
Domain includeswotsec:SecurityScheme

refresh

IRI: https://www.w3.org/2019/wot/security#refresh

URI of the refresh server.
Domain includeswotsec:OAuth2SecurityScheme

token

IRI: https://www.w3.org/2019/wot/security#token

URI of the token server.
Domain includeswotsec:OAuth2SecurityScheme

Datatype Properties

alg

IRI: https://www.w3.org/2019/wot/security#alg

Encoding, encryption, or digest algorithm.
Domain includeswotsec:BearerSecurityScheme
wotsec:PoPSecurityScheme

flow

IRI: https://www.w3.org/2019/wot/security#flow

Authorization flow.
Domain includeswotsec:OAuth2SecurityScheme

format

IRI: https://www.w3.org/2019/wot/security#format

Specifies format of security authentication information.
Domain includeswotsec:BearerSecurityScheme
wotsec:PoPSecurityScheme

identity

IRI: https://www.w3.org/2019/wot/security#identity

Identifier providing information which can be used for selection or confirmation.
Domain includeswotsec:CertSecurityScheme
wotsec:PSKSecurityScheme
wotsec:PublicSecurityScheme

in

IRI: https://www.w3.org/2019/wot/security#in

Specifies the location of security authentication information.
Domain includeswotsec:APIKeySecurityScheme
wotsec:BasicSecurityScheme
wotsec:BearerSecurityScheme
wotsec:DigestSecurityScheme
wotsec:PoPSecurityScheme

name

IRI: https://www.w3.org/2019/wot/security#name

Name for query, header, or cookie parameters.
Domain includeswotsec:APIKeySecurityScheme
wotsec:BasicSecurityScheme
wotsec:BearerSecurityScheme
wotsec:DigestSecurityScheme
wotsec:PoPSecurityScheme

qop

IRI: https://www.w3.org/2019/wot/security#qop

Quality of protection.
This feature is at risk.
Domain includeswotsec:DigestSecurityScheme

scopes

IRI: https://www.w3.org/2019/wot/security#scopes

Set of authorization scope identifiers provided as an array. These are provided in tokens returned by an authorization server and associated with forms in order to identify what resources a client may access and how. The values associated with a form should be chosen from those defined in an OAuth2SecurityScheme active on that form.
This feature is at risk.
Domain includeswotsec:OAuth2SecurityScheme

Usage Examples

Extended Configuration