Auth0 Home Blog Docs

Is it possible to issue individual client_ids to tens of thousands of IoT devices?

client
pricing
token-replace-attack

#1

Is it possible to issue individual client_ids to tens of thousands of IoT devices? I want to allow users to access devices, and use different client_ids for devices in order not to allow Token Replace Attack. The device is consumer product, and I want to consider the case of device hacking. I want minimize a risk even if one of devices is hacked.


#2

I too can’t find any suggestion on how to handle thousands of IoT device in a secure manner. We need individual client secrets for each device. Do i need to create non-intercative client for each device or is there other more smooth ways to handle this . At the moment the solution seems to have 1 non-interactive client for all devices sharing the same secret. This is not ideal from a security perspective.


#3

I too can’t find any suggestion on how to handle thousands of IoT device in a secure manner. We need individual client secrets for each device. Do i need to create non-intercative client for each device or is there other more smooth ways to handle this . At the moment the solution seems to have 1 non-interactive client for all devices sharing the same secret. This is not ideal from a security perspective.


#4

Evaluating using Auth0 for a similar case (some clients are devices, others are users - all using the same API). Devices aren’t secure, so they can’t share client_id/client_secret as that’d risk all devices if one is compromised. At the same time, using individual clients per device doesn’t seem right (again - tens of thousand devices).


#5

I posted a similar question at:

https://community.auth0.com/questions/14426/which-grant-type-for-many-iot-devices

What I ended up doing: create a single non-interactive client, with one username/password per device. You can create a completely new account for each device, or use the existing username/password used for SSH.

Note that I don’t think this is the right way to do it, but it seems scalable and more manageable than creating new clients for each device. If my interpretation is right, it should also be secure. But I’d really like some feedback from Auth0 on this.


#6