Authorization is the process of dec

Authorization is the process of deciding what an entity ought to be
allowed to do. Managing authorization information for a large number
of devices and users is often a complex task where dedicated servers
are used.

Managing authorization of users, services and their devices with the
help of dedicated authorization servers (AS) is a common task, found
in enterprise networks as well as on the Web. In its simplest form
the authorization task can be described as granting access to a
resource hosted on a device, the resource server (RS). This exchange
is mediated by one or multiple authorization servers.

We envision that end consumers and enterprises will want to manage
their Internet of Things (IoT) devices in the same style and this
desire will increase with the number of devices that need to be
managed and controlled. The IoT devices may be constrained in
various ways including processing, memory, code, energy, etc., as
defined in [RFC7228], and the different IoT deployments present a
continuous range of device and network capabilities. Taking energy
consumption as an example: At one end there are energy-harvesting or
battery powered devices which have a tight power budget, on the other
end there are mains-connected devices which are not constrained in
terms of power, and all levels in between. Thus IoT devices are very
different in terms of available processing and message exchange
capabilities.

This memo describes how to re-use OAuth 2.0 [RFC6749] to extend
authorization to Internet of Things devices with different kinds of
constrainedness. At the time of writing OAuth 2.0 is already used
with certain types of IoT devices and this document will provide
implementers additional guidance for using it in a secure and
privacy-friendly way. Where possible the basic OAuth 2.0 mechanisms
are used; in some circumstances profiles are defined, for example to
support lower the over-the-wire message size and smaller code size.