The Open Authorization (OAuth) 2.0 authorization framework or standard enables a third-party application to obtain limited access to a service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the service, or by allowing the third-party application to obtain access on its own behalf. This authorization framework is being adopted in connection with granting access to Internet of Things (IoT) devices to govern who/what (client) can gain access to such a device (resource server) that is controlled by a resource owner.
More specifically, OAuth 2.0 defines an authorization layer that separates the role of the client from that of the resource owner. In OAuth 2.0, the client requests access to resources controlled by the resource owner and hosted by the resource server, and is issued a different set of credentials than those of the resource owner.
Instead of using the resource owner's credentials to access protected resources, the client obtains an access token, i.e., a string denoting a specific scope, lifetime, and other access attributes. Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The client uses the access token to access the protected resources hosted by the resource server.