The Internet of Things is an important part of new generation information technologies. According to the Internet of Things, various types of information about any object that needs to be monitored, connected to, or interacted with, or any process, or the like are collected in real time by using various information sensing devices. A huge network is formed by combining the Internet of Things and the Internet.
Usually, in the Internet of Things, a resource server (RS) includes one or more resource entities. The resource entity may be a sensor such as a humidity sensor, a temperature sensor, a gravity sensor, or various industrial sensors. Alternatively, the resource entity may be a controller such as a light switch, a temperature regulator, or various industrial controllers.
The resource server is a constrained node. Compared with an unconstrained node, the constrained node has a limited central processing unit, limited storage space, a limited battery capacity, a limited data transmission capability, a limited user interface, and the like. The constrained node usually refers to a sensor, a controller, an intelligent object, an intelligent device, and the like. A storage capacity of a RAM (random access memory) in the constrained node is less than or equal to 50 kilobytes. A storage capacity of a ROM (read only memory) in a constrained node is less than or equal to 250 kilobytes. A network including constrained nodes is usually referred to as a constrained network. Such a network usually has an unstable transmission channel, limited and unpredictable bandwidth, and an unstable network topology.
In an actual application, a client needs to access a resource entity on the resource server, to obtain a related resource. However, because the resource server may include private data, for example, in a health and medical scenario, there may be information about a user such as a blood pressure and a heart rate on a sensor. To improve data security, the client needs to obtain permission to access the resource server before obtaining the private data from the resource server. Therefore, authorizing the client in the Internet of Things is particularly important.
In an actual application, an authorization server is generally located in a home domain of the resource server, and is an unconstrained node. The unconstrained node refers to a device having features such as a strong processing capability, large storage space, a large battery capacity, a strong transmission capability, and diversified user interfaces compared with a constrained node. A storage capacity of a RAM in a constrained node is greater than 50 kilobytes, and a storage capacity of a ROM in the unauthorized node is greater than 250 kilobytes. The authorization server assists the resource server in performing permission authentication and authorization control on the client on behalf of a resource owner. Main functions of the authorization server include one or more of the followings: (1) obtaining authorization information of the resource server from the resource owner, that is, which client has which access permission for which resource server in what condition; (2) assisting the resource server in establishing a secure data transmission channel between the client and the resource server, that is, negotiating a session key or providing authentication information; (3) returning authorization information for different clients and different resource information on different resource servers according to a request of the client or the resource server; and (4) storing an authorization rule that is set by the resource owner, and performing authorization verification on an authorization request from the client or the resource server according to the authorization rule.
In the prior art, a process in which a client accesses a resource is as follows.
Step S1: The client sends a resource access request to a resource server.
Step S2: The resource server returns address information of an authorization server to the client.
Step S3: The client sends an authorization request to the authorization server according to the address information of the authorization server.
Step S4: The authorization server returns an authorization response to the client.
The authorization response may be an authorization verification success response or an authorization verification failure response. The authorization verification success response carries an authorization verification credential used to indicate a verification result. If the authorization response is the authorization verification success response, step S5 further needs to be performed.
Step S5: The client sends a resource access request to the resource server.
The resource access request carries the authorization verification credential.
Step S6: The resource server returns a resource access response to the client according to the authorization verification credential.
During the foregoing authorization on the client, direct interaction between the client and the authorization server is implemented when the client can communicate with the authorization server. However, in an actual application, when the client cannot directly communicate with the authorization server, for example, when the client is disconnected from the authorization server, the authorization on the client cannot be implemented. As a result, the client cannot obtain a resource from the resource server.