Question about token passing for device authentication

[ajlennon]

Hi all,

(This is more of a discussion thing but I can't spot a discussion pane so have put in as an issue. Also wasn't really sure where best to put this in the available repos...)

I was chatting with @balloob about your awesome BLE/serial onboarding standard. We desperately need a standard to work around imho so thanks for doing this and thanks to Nabu Casa for supporting you.

I mentioned that a typical flow for what we need would be something like

• Device runs BLE server
• Mobile app scans for Device and sends WiFi/SSID to get device onto WiFi network
• Mobile app sends random token e.g. UUID to device to link user account and device
• Device authenticates with token to cloud API
• Device / User account now linked in cloud

I completely understand that you don't want to extend the scope of the open standard unduly (e.g. for token based authentication support as above) and have been thinking about how we might do this within the existing standard.

So I wanted to bounce this idea off you to see what people think and whether there's a cleaner / more secure way to do this than I am suggesting ?

• Device runs BLE server
• Mobile app scans for Device and sends WiFi/SSID to get device onto WiFi network
• Device generates random UUID-like token
• Device authenticates that token to cloud API over WiFi
• Device returns token in the URL string that goes back within the Improv protocol (e.g https://api.cloud.server?token=$UUID)
• Mobile app finalises linkage with WiFi API call using returned token.

That feels like it could work and I can't see any obvious security issues as long as the device API call and BLE comms are encrypted?

Would value any thoughts

Cheers, Alex