{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,28]],"date-time":"2025-10-28T10:48:04Z","timestamp":1761648484890,"version":"build-2065373602"},"reference-count":27,"publisher":"MDPI AG","issue":"4","license":[{"start":{"date-parts":[[2017,10,17]],"date-time":"2017-10-17T00:00:00Z","timestamp":1508198400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>access control is a key element when guaranteeing the security of online services. However, devices that make the Internet of Things have some special requirements that foster new approaches to access control mechanisms. Their low computing capabilities impose limitations that make traditional paradigms not directly applicable to sensors and actuators. In this paper, we propose a dynamic, scalable, IoT-ready model that is based on the OAuth 2.0 protocol and that allows the complete delegation of authorization, so that an as a service access control mechanism is provided. Multiple tenants are also supported by means of application-scoped authorization policies, whose roles and permissions are fine-grained enough to provide the desired flexibility of configuration. Besides, OAuth 2.0 ensures interoperability with the rest of the Internet, yet preserving the computing constraints of IoT devices, because its tokens provide all the necessary information to perform authorization. The proposed model has been fully implemented in an open-source solution and also deeply validated in the scope of FIWARE, a European project with thousands of users, the goal of which is to provide a framework for developing smart applications and services for the future Internet. We provide the details of the deployed infrastructure and offer the analysis of a sample smart city setup that takes advantage of the model. We conclude that the proposed solution enables a new access control as a service paradigm that satisfies the special requirements of IoT devices in terms of performance, scalability and interoperability.<\/jats:p>","DOI":"10.3390\/fi9040064","type":"journal-article","created":{"date-parts":[[2017,10,17]],"date-time":"2017-10-17T11:14:35Z","timestamp":1508238875000},"page":"64","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":29,"title":["IAACaaS: IoT Application-Scoped Access Control as a Service"],"prefix":"10.3390","volume":"9","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8456-8351","authenticated-orcid":false,"given":"\u00c1lvaro","family":"Alonso","sequence":"first","affiliation":[{"name":"Departamento de Ingenier\u00eda de Sistemas Telem\u00e1ticos, Universidad Polit\u00e9cnica de Madrid, 28040 Madrid, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9325-9542","authenticated-orcid":false,"given":"Federico","family":"Fern\u00e1ndez","sequence":"additional","affiliation":[{"name":"Departamento de Ingenier\u00eda de Sistemas Telem\u00e1ticos, Universidad Polit\u00e9cnica de Madrid, 28040 Madrid, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8455-9519","authenticated-orcid":false,"given":"Lourdes","family":"Marco","sequence":"additional","affiliation":[{"name":"Departamento de Ingenier\u00eda de Sistemas Telem\u00e1ticos, Universidad Polit\u00e9cnica de Madrid, 28040 Madrid, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Joaqu\u00edn","family":"Salvach\u00faa","sequence":"additional","affiliation":[{"name":"Departamento de Ingenier\u00eda de Sistemas Telem\u00e1ticos, Universidad Polit\u00e9cnica de Madrid, 28040 Madrid, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2017,10,17]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Lin, H., and Bergmann, N.W. (2016). IoT Privacy and Security Challenges for Smart Home Environments. Information, 7.","DOI":"10.3390\/info7030044"},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"103","DOI":"10.1109\/MC.2003.1236475","article-title":"Security and privacy in sensor networks","volume":"36","author":"Chan","year":"2003","journal-title":"Computer"},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Medaglia, C.M., and Serbanati, A. (2010). An Overview of Privacy and Security Issues in the Internet of Things. The Internet of Things: 20th Tyrrhenian Workshop on Digital Communications, Springer.","DOI":"10.1007\/978-1-4419-1674-7_38"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"1645","DOI":"10.1016\/j.future.2013.01.010","article-title":"Internet of Things (IoT): A vision, architectural elements, and future directions","volume":"29","author":"Gubbi","year":"2013","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Fern\u00e1ndez, F., Alonso, A., Marco, L., and Salvach\u00faa, J. (2017, January 7\u20139). A model to enable application-scoped access control as a service for IoT using OAuth 2.0. Proceedings of the 20th Conference on Innovations in Clouds, Internet and Networks (ICIN), Paris, France.","DOI":"10.1109\/ICIN.2017.7899433"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"2266","DOI":"10.1016\/j.comnet.2012.12.018","article-title":"On the features and challenges of security and privacy in distributed internet of things","volume":"57","author":"Roman","year":"2013","journal-title":"Comput. Netw."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"146","DOI":"10.1016\/j.comnet.2014.11.008","article-title":"Security, privacy and trust in Internet of Things: The road ahead","volume":"76","author":"Sicari","year":"2015","journal-title":"Comput. Netw."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"38","DOI":"10.1109\/2.485845","article-title":"Role-based access control models","volume":"29","author":"Sandhu","year":"1996","journal-title":"Computer"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Yuan, E., and Tong, J. (2005, January 11\u201315). Attributed based access control (ABAC) for web services. Proceedings of the 2005 IEEE International Conference on Web Service, Orlando, FL, USA.","DOI":"10.1109\/ICWS.2005.25"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"601","DOI":"10.1109\/TSC.2014.2363474","article-title":"From RBAC to ABAC: Constructing flexible data access control for cloud storage services","volume":"8","author":"Zhu","year":"2015","journal-title":"IEEE Trans. Serv. Comput."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"146","DOI":"10.1109\/MCOM.2017.1600611CM","article-title":"A Community-Driven access control Approach in Distributed IoT Environments","volume":"55","author":"Hussein","year":"2017","journal-title":"IEEE Commun. Mag."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Hemdi, M., and Deters, R. (2016, January 13\u201315). Using REST based protocol to enable ABAC within IoT systems. Proceedings of the 7th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON), Vancouver, BC, Canada.","DOI":"10.1109\/IEMCON.2016.7746297"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Kinikar, S., and Terdal, S. (2016, January 26\u201327). Implementation of open authentication protocol for IoT based application. Proceedings of the 2016 International Conference on Inventive Computation Technologies (ICICT), Tamilnadu, India.","DOI":"10.1109\/INVENTIVE.2016.7823267"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"1224","DOI":"10.1109\/JSEN.2014.2361406","article-title":"Iot-oas: An oauth-based authorization service architecture for secure services in iot scenarios","volume":"15","author":"Cirani","year":"2015","journal-title":"IEEE Sens. J."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Emerson, S., Choi, Y.K., Hwang, D.Y., Kim, K.S., and Kim, K.H. (2015, January 28\u201330). An oauth based authentication mechanism for iot networks. Proceedings of the 6th International Conference on Information and Communication Technology Convergence, Jeju Island, Korea.","DOI":"10.1109\/ICTC.2015.7354740"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Hardt, D. (2012). The OAuth 2.0 Authorization Framework, RFC Editor, Dick Hardt, Microsoft. RFC 6749.","DOI":"10.17487\/rfc6749"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Korzun, D.G., Balandin, S.I., and Gurtov, A.V. (2013). Deployment of Smart Spaces in Internet of Things: Overview of the Design Challenges. Internet of Things, Smart Spaces, and Next Generation Networking, Proceedings of the 13th International Conference, NEW2AN 2013 and 6th Conference, ruSMART 2013, St. Petersburg, Russia, 28\u201330 August 2013, Springer.","DOI":"10.1007\/978-3-642-40316-3_5"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"2","DOI":"10.1109\/MITP.2016.42","article-title":"The Internet of Things in Healthcare: Potential Applications and Challenges","volume":"18","author":"Laplante","year":"2016","journal-title":"IT Prof."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Keertikumar, M., Shubham, M., and Banakar, R.M. (2015, January 8\u201310). Evolution of IoT in smart vehicles: An overview. Proceedings of the 2015 International Conference on Green Computing and Internet of Things (ICGCIoT), Delhi, India.","DOI":"10.1109\/ICGCIoT.2015.7380573"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Singh, D., Tripathi, G., and Jara, A.J. (2014, January 6\u20138). A survey of Internet-of-Things: Future vision, architecture, challenges and services. Proceedings of the 2014 IEEE World Forum on Internet of Things (WF-IoT), Seoul, Korea.","DOI":"10.1109\/WF-IoT.2014.6803174"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"431","DOI":"10.1016\/j.bushor.2015.03.008","article-title":"The Internet of Things (IoT): Applications, investments, and challenges for enterprises","volume":"58","author":"Lee","year":"2015","journal-title":"Bus. Horiz."},{"key":"ref_22","unstructured":"(2013). Extensible access control Markup Language (XACML), OASIS. version 3.0."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Turkmen, F., and Crispo, B. (2008, January 27\u201331). Performance evaluation of XACML PDP implementations. Proceedings of the 2008 ACM Workshop on Secure Web Services, Alexandria, VA, USA.","DOI":"10.1145\/1456492.1456499"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Emig, C., Brandt, F., Kreuzer, S., and Abeck, S. (2007). Identity as a Service\u2014Towards a Service-Oriented Identity Management Architecture. Dependable and Adaptable Networks and Services, Proceedings of the 13th Open European Summer School and IFIP TC6.6 Workshop, EUNICE 2007, Enschede, The Netherlands, 18\u201320 July 2007, Springer.","DOI":"10.1007\/978-3-540-73530-4_1"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Ducatel, G. (2015, January 28\u201330). Identity as a service: A cloud based common capability. Proceedings of the 2015 IEEE Conference on Communications and Network Security (CNS), Florence, Italy.","DOI":"10.1109\/CNS.2015.7346886"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"1497","DOI":"10.1016\/j.adhoc.2012.02.016","article-title":"Internet of things: Vision, applications and research challenges","volume":"10","author":"Miorandi","year":"2012","journal-title":"Ad Hoc Netw."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Sciancalepore, S., Piro, G., Caldarola, D., Boggia, G., and Bianchi, G. (2017, January 3\u20136). OAuth-IoT: An access control framework for the Internet of Things based on open standards. Proceedings of the 2017 IEEE Symposium on Computers and Communications (ISCC), Crete, Greece.","DOI":"10.1109\/ISCC.2017.8024606"}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/9\/4\/64\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T18:47:32Z","timestamp":1760208452000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/9\/4\/64"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,10,17]]},"references-count":27,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2017,12]]}},"alternative-id":["fi9040064"],"URL":"https:\/\/doi.org\/10.3390\/fi9040064","relation":{},"ISSN":["1999-5903"],"issn-type":[{"type":"electronic","value":"1999-5903"}],"subject":[],"published":{"date-parts":[[2017,10,17]]}}}