Copyright © 2020-2021 W3C® (MIT, ERCIM, Keio, Beihang). W3C liability, trademark and permissive document license rules apply.
The Web of Things is applicable to multiple IoT domains, including Smart Home, Industrial, Smart City, Retail, and Health applications, where usage of the W3C WoT standards can simplify the development of IoT systems that combine devices from multiple vendors and ecosystems. During the last charter period of the WoT Working Group several specifications were developed to address requirements for these domains.
This Use Cases and Requirements Document is created to collect new IoT use cases from various domains that have been contributed by various stakeholders. These serve as a baseline for identifying requirements for the standardization work in the W3C WoT groups.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.
This document was published by the Web of Things Interest Group as an Interest Group Note.
GitHub Issues are preferred for discussion of this specification.
Publication as an Interest Group Note does not imply endorsement by the W3C Membership.
This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
The disclosure obligations of the Participants of this group are described in the charter.
This document is governed by the 15 September 2020 W3C Process Document.
The World Wide Web Consortium (W3C) has published the Web of Things (WoT) Architecture and Web of Things (WoT) Thing Description (TD) as official W3C Recommendations in May 2020. These specifications enable easy integration across Internet of Things platforms and applications.
The W3C Web of Thing Architecture [wot-architecture] defines an abstract architecture, the WoT Thing Description [wot-thing-description] defines a format to describes a broad spectrum of very different devices, which may be connected over various protocols.
During the inception phase of the WoT 1.0 specifications in 2017-2018 the WoT IG collected use cases and requirements to enable interoperability of Internet of Things (IoT) services on a worldwide basis. These released specifications have been created to address the use cases and requirements for the first version of the WoT specifications, which are documented in https://w3c.github.io/wot/ucr-doc/
The present document gathers and describes new use cases and requirements for future standardization work in the WoT standard.
This document contains chapters describing the use cases that were contributed by multiple authors, functional and technical requirements on the Web of Things standards. Additionally it contains a summary of the liaisons, where active collaboration is taking place at the time of writing. Since this document is a WG note, additional use cases will be added in future revisions of this document.
The collection of use cases can be separated into two categories:
The following stakeholders and actors were identified when the use cases have been collected and requirements were identified. Note that these stakeholders and roles may overlap in some use cases.
Sensors:
Actuators:
Additional devices:
A Smart City managing mobile devices and sensors, including passively mobile sensor packs, packages, vehicles, and autonomous robots, where their location needs to be determined dynamically.
Smart Cities need to track a large number of mobile devices and sensors. Location information may be integrated with a logistics or fleet management system. A reusable geolocation module is needed with a common network interface to include in these various applications. For outdoor applications, GPS could be used, but indoors other geolocation technologies might be used, such as WiFi triangulation or vision-based navigation (SLAM). Therefore the geolocation information should be technology-agnostic.
NOTE: we prefer the term "geolocation", even indoors, over "localization" to avoid confusion with language localization.
One of the following:
Note: the system should be capable of notifying consumers of changes in location. This may be used to implement geofencing by some other system. This may require additional parameters, such as the maximum distance that the device may be moved before a notification is sent, or the maximum amount of time between updates. Notifications may be sent by a variety of means, some of which may not be traditional push mechanisms (for example, email might be used). For geofencing applications, it is not necessary that the device be aware of the fence boundaries; these can be managed by a separate system.
Smart Cities have the need to observe the physical locations of large number of mobile devices in use in the context of a Fleet or Logistics Management System, or to place sensor data on a map in a Dashboard application. These systems may also include geofencing notifications and mapping (visual tracking) capabilities.
High-resolution timestamps can be used in conjunction with cache manipulation to access protected regions of memory, as with the SPECTRE exploit. Certain geolocation APIs and technologies can return high-resolution timestamps which can be a potential problem. Eventually these issues will be addressed in cache architecture but in the meantime a workaround is to artificially limit the resolution of timestamps.
Location is generally considered private information when it is used with a device that may be associated with a specific person, such as a phone or vehicle, as it can be used to track that person and infer their activities or who they associate with (if multiple people are being tracked at once). Therefore APIs to access geographic location in sensitive contexts are often restricted, and access is allowed only after confirming permission from the user.
There is no single standardized semantic vocabulary for representing location data. Location data can be point data, a path, an area or a volumetric object. Location information can be expressed using multiple standards, but the reader of location data in a TD or in data returned by an IoT device must be able to unambiguously describe location information.
There are both dynamic (data returned by a mobile sensor) and static (fixed installation location) applications for geolocation data. For dynamic location data, some recommended vocabulary to annotate data schemas would be useful. For static location data, a standard format for metadata to be included in a TD itself would be useful.
Note that accuracy and time are issues that apply to all kinds of sensors, not just geolocation. However, the specific geolocation technology of GPS is special since it is also a source of accurate time.
A Smart City managing a large number of devices whose data needs to be visualized and understood in context.
Stakeholders include:
In order to facilitate Smart City planning and decision-making, a Smart City dashboard interface makes it possible for city management to view and visualize all sensor data through the entire city in real time, with data identified as to geographic source location.
Actuators can include robots; for these, commands might be given to robots to move to new locations, drop off or pick up sensor packages, etc. However, it could also include other kinds of actuators, such as flood gates, traffic signals, lights, signs, etc. For example, posting a public message on an electronic billboard might be one task possible through the dashboard.
Sensors can include those for the environment and for people and traffic management (density counts, thermal cameras, car speeds, etc.). status of robots, other actuators, and sensors, data visualization, and (optionally) historical comparisons.
Dashboard would include mapping functionality. Mapping implies a need for location data for every actuator and sensor, which could be acquired through geolocation sensors (e.g. GPS) or assigned statically during installation.
This use case also includes images from cameras and real-time image and data streaming.
Data from a large number and wide variety of sensors needs to be integrated into a single database and normalized, then placed in time and space, and finally visualized.
The user, a member of city management responsible for making planning decisions, sees data visualized on a map suitable for planning decisions.
Variants:
Sample flow:
A service, or a user, sends a (SPARQL) query to the discovery endpoint of a known Middle-Node (which can be wrapped by a GUI). The Middle-Node will try to answer the query first checking the Thing Descriptions of the IoT devices registered in such Middle-Node. Then, if the query requires further discovery, or it was not successfully answered the Middle-Node will forward the query to its *known* Middle-Nodes. Recursively, the Middle-Nodes will try to answer the query and/or forward the query to their known Middle-Nodes. When one Middle-Node is able to answer the query it will forward back to the former Middle-Node the partial query answer. Finally, when the discovery task finishes, the former Middle-Node will join all the partial query answers producing an unified view (which could be synchronous or asynchronous).
properties property for each Thing
which is a non-normative JSON Object for
application-specific information (not to be
confused with TD's properties which is
a Map of instances of PropertyAffordance
When operating smart buildings, aggregating and managing all data provided by heterogeneous devices in these buildings still require a lot of manual effort. Besides the hurdles of data acquisition that relies on multiple protocols, the acquired data generally lacks contextual information and metadata about its location and purpose. Usually, each service or application that consumes data from building things requires information about its content and its context like, e.g.:
Through the increased use of model-based data exchange over the whole life cycle of a building, often referred to as Building Information Modeling (BIM) (Sacks et al., 2018), a curated source for data describing the building itself is available including, amongst others, the topology of the building structured into e.g. sites, stores and spaces.
Automatically tracking down data and their related things in a building would especially ease the configuration and operation of Building Automation and Control Systems (BACS) and Heating Ventilation and Air-Conditioning (HVAC) services during commissioning, operation, maintenance and retrofitting. To tackle these challenges, still, building experts make use of metadata and naming conventions which are manually implemented in Building Management Systems (BMS) databases to annotate data and things. An important property of a thing is its location within the topology of a building as well as where its related data are produced or used. For example, this applies to the temperature sensor of a space, the temperature setpoint of a zone, a mixing damper flap actuator of a HVAC component, etc. In addition, other attributes of things are of interest, such as cost or specific manufacturer data. One difficulty is especially the lack of a standardized way of creating, linking and sharing this information in an automated manner. On the contrary, manufacturers, service providers and users introduce their own metadata for their own purpose. As a solution, the Web of Things (WoT) Thing Description (TD) aims at providing normalized and syntactic interoperability between things.
To support this effort, this use case is motivated by the need to enhance semantic interoperability between things in smart buildings and to provide them with contextual links to building information. This building information is usually obtained from a BIM model. The use case builds on Web of Data technologies and reuses schemas available from the Linked Building Data domain. It should serve as a use case template for many applications in an Internet of Building Things (IoBT).
The goal of this use case is to show the potential to automate workflows and address the heterogeneity of data as observed in the smart building domain. The examples show the potential benefits of combining WoT TD with contextual data obtained from BIM.
The use cases is based on the Open Smart Home Dataset, which introduces a BIM model for a residential flat combined with observations made by typical smart home sensors. We extend the dataset with Thing Descriptions of some of the items. The respective Thing Description of a temperature sensor in the kitchen of the considered flat is as follows:
{
"id": "https://w3id.org/ibp/osh/OpenSmartHomeDataSet#TemperatureSensor",
"@context": [
"https://www.w3.org/2019/wot/td/v1",
{
"osh": "https://w3id.org/ibp/osh/OpenSmartHomeDataSet#",
"bot": "https://w3id.org/bot#",
"sosa": "http://www.w3.org/ns/sosa/",
"om": "http://www.ontology-of-units-of-measure.org/resource/om-2/",
"ssns": "http://www.w3.org/ns/ssn/systems/",
"brick": "https://brickschema.org/schema/Brick#",
"schema": "http://schema.org"
}
],
"title": "TemperatureSensor",
"description": "Kitchen Temperature Sensor",
"@type": ["sosa:Sensor", "brick:Zone_Air_Temperature_Sensor", "bot:element"],
"@reverse": {
"bot:containsElement": {
"@id": "osh:Kitchen"
}
},
"securityDefinitions": {
"basic_sc": {
"scheme": "basic",
"in": "header"
}
},
"security": [
"basic_sc"
],
"properties": {
"Temperature": {
"type": "number",
"unit": "om:degreeCelsius",
"forms": [
{
"href": "https://kitchen.example.com/temp",
"contentType": "application/json",
"op": "readproperty"
}
],
"readOnly": true,
"writeOnly": false
}
},
"sosa:observes": {
"@id": "osh:Temperature",
"@type": "sosa:ObservableProperty"
},
"ssns:hasSystemCapability": {
"@id": "osh:SensorCapability",
"@type": "ssns:SystemCapability",
"ssns:hasSystemProperty": {
"@type": ["ssns:MeasurementRange"],
"schema:minValue": 0.0,
"schema:maxValue": 40.0,
"schema:unitCode": "om:degreeCelsius"
}
}
}
Where the contextual information on the measurement range of the sensor is specified using the SSNS schema. The location information of the thing TemperatureSensor is provided based on the Building Topology Ontology (BOT), a minimal ontology developed by the W3C Linked Building Data Community Group (W3C LBD CG) to describe the topology of buildings in the semantic web. Additionally, the thing description of the corresponding actuator is given below.
{
"id": "https://w3id.org/ibp/osh/OpenSmartHomeDataSet#TemperatureActuator",
"@context": [
"https://www.w3.org/2019/wot/td/v1",
{
"osh": "https://w3id.org/ibp/osh/OpenSmartHomeDataSet#",
"bot": "https://w3id.org/bot#",
"sosa": "http://www.w3.org/ns/sosa/",
"ssn": "http://www.w3.org/ns/ssn/",
"brick": "https://brickschema.org/schema/Brick#"
}
],
"title": "TemperatureActuator",
"description": "Kitchen Temperature Actuator",
"@type": ["sosa:Actuator", "brick:Zone_Air_Temperature_Setpoint", "bot:element"],
"@reverse": {
"bot:containsElement": {
"@id": "osh:Kitchen"
}
},
"securityDefinitions": {
"basic_sc": {
"scheme": "basic",
"in": "header"
}
},
"security": [
"basic_sc"
],
"actions": {
"TemperatureSetpoint": {
"forms": [
{
"href": "https://kitchen.example.com/tempS"
}
]
}
},
"ssn:forProperty": {
"@id": "osh:Temperature",
"@type": "sosa:ActuatableProperty"
}
}
The scenario considered is related to the replacement of a temperature sensor in a BACS. The topological information localizing the things, e.g. the temperature sensor can be used to automatically commission the newly replaced sensor and link it to existing control algorithms. For this purpose, the identifiers of suitable sensors and actuators are needed and can be, for example, queried via SPARQL. Here the query uses some additional classification of sensors from BRICK schema.
PREFIX bot: <https://w3id.org/bot>
PREFIX brick: <https://brickschema.org/schema/Brick#>
PREFIX osh: <https://w3id.org/ibp/osh/OpenSmartHomeDataSet#>
SELECT ?sensor ?actuator
WHERE{
?space a bot:Space .
?space bot:containsElement ?sensor .
?space bot:containsElement ?actuator .
?sensor a brick:Zone_Air_Temperature_Sensor .
?actuator a brick:Zone_Air_Temperature_Setpoint .
}
Similarly this data can be obtained via a REST API built upon the HTTP protocol. Below is an example endpoint applying REST style for getting the same information for a specific space name:
GET "https://server.example.com/api/locations?space=osh:Kitchen&sensorType=brick:Zone_Air_Temperature_Sensor&actuatorType=brick:Zone_Air_Temperature_Setpoint"
API response:
{
"location": {
"site": {
"id": "https://w3id.org/ibp/osh/OpenSmartHomeDataSet#Site1",
"name": "Site1"
},
"building": {
"id": "https://w3id.org/ibp/osh/OpenSmartHomeDataSet#Building1",
"name": "Building1"
},
"zone": null,
"storey": {
"id": "https://w3id.org/ibp/osh/OpenSmartHomeDataSet#Level2",
"name": "Level2"
},
"space": {
"id": "https://w3id.org/ibp/osh/OpenSmartHomeDataSet#Kitchen",
"name": "Kitchen"
},
"sensors": [
"https://w3id.org/ibp/osh/OpenSmartHomeDataSet#TemperatureSensor"
],
"actuators": [
"https://w3id.org/ibp/osh/OpenSmartHomeDataSet#TemperatureActuator"
]
}
In this example query, the REST endpoint has been defined using the OpenAPI specification and is provided by a RESTful server. A data binding is needed between the server and the underlying backend storage, here the triple store that contains the involved ontologies (osh, bot, ssn, brick...). The data binding relies on similar SPARQL queries as the one shown above. As a result the endpoint can deliver information to a target application that consumes custom JSON rather than triples. Similar implmentation could be achieved using GraphQL.
Another related use case in smart buildings, which would greatly benefit from harmonised thing descriptions and attached location information is related to the detection of unexpected behavior, errors and faults. An example for such a detection of faults is the rule-based surveillance of sensor values. A generic rule applicable to sensors is that the observation values stay within the measurement range of the sensor. Again, in the case of maintenance as described above a sensor is replaced.
Some agent configuring fault detection rules can obtain the measurement range from the sensor's TD (see above) to obtain the parameters to configure the mentioned rule. Again, a query or API call retrieving this information (schema:minValue/ schema:maxValue) can be used to update the upper and lower bound of the values provided by the sensor.
Security in smart buildings is of importance. In particular, access control needs to be properly secured. This applies also for data access which can be secured using existing security schemes (API Keys, OAuth2...). Moreover, from certain observations, e.g. electricity consumption, clues can be indirectly given such as presence in a home. Hence, security needs must be defined and properly addressed.
Privacy considerations can be of a concern if observations of sensors can be matched to individuals. It is of the responsibility of building owners, managers and users to define their own privacy policies for their data and share necessary consents if necessary.
Accessibility is a major concern in the buildings domain. Efforts exist in also providing accessibility data in a electronic format. The W3C LBD CG is in contact with the W3C Linked Data for Accessbility Community Group.
Internationalization is a concern as the Buildings industry is a global industry. This is reflected in some efforts, e.g. BOT used in the examples above does provide multilanguage labels in up to 16 different languages including english, french and chinese.
References:
Production lines for industrial manufacturing consist of multiple machines, where each machine incorporates sensors for various values. A failure of a single machine can cause defective products or a stop of the entire production.
Big data analysis enables to identify behavioral patterns across multiple production lines of the entire production plant and across multiple plants.
The results of this analysis can be used for optimizing consumption of raw materials, checking the status of production lines and plants and predicting and preventing fault conditions.
A company owns multiple factories which contain multiple production lines. Examples are production lines and environment sensors. These devices collect data from multiple sensors and transmit this information to the cloud. Sensor data is stored in the cloud, can be visualized and analyzed using machine learning / AI.
The cloud service allows to manage single and groups of devices. Combining the data streams from multiple devices allows to get an easy overview of the state of all connected devices in the user's realm.
In many cases there are groups of devices of the same kind, so the aggregation of data across devices can serve to identify anomalies or to predict impending outages.
The cloud service allows to manage single and groups of devices and can help to identify abnormal conditions. For this purpose a set of rules can be defined by the user, which raises alerts towards the user or triggers actions on devices based on these rules.
This enables the early detection of pending problems and reduces the risk of machine outages, quality problems or threats to the environment or life of humans. It increases production efficiency, improves production logistics (such as raw material delivery and production output).
Integrating and interconnecting multiple devices into the common retail workflow (i.e., transaction log) drastically improves retail business operations at multiple levels. It brings operational visibility,including consumer behavior and environmental information, that was not previously possible or viable in a meaningful way.
It drastically speeds up the process of root cause analysis of operational issues and simplifies the work of retailers.
Note 1: the system should be capable of notifying consumers (such as security personnel), of fever detections. This may be email, SMS, or some other mechanism, such as MQTT publication.
Note 2: In all cases where images are captured, privacy considerations apply.
It would also be useful to count unique individuals for statistics purposes, but not necessarily based on identifying particular people. This is to avoid counting the same person multiple times.
Physiological Closed-Loop Control (PCLC) devices are a group of emerging technologies, which use feedback from physiological sensor(s) to autonomously manipulate physiological variable(s) through delivery of therapies conventionally delivered by clinician(s).
Clinical scenario without PCLC. An elderly female with end-stage renal failure was given a standard insulin infusion protocol to manage their blood glucose, but no glucose was provided. Their blood glucose dropped to 33, then rebounded to over 200 after glucose was given. This scenario has not changed for decades.
The desired state with PCLC implemented in an ICU. A patient is receiving an IV insulin infusion and is having the blood glucose continuously monitored. The infusion pump rate is automatically adjusted according to the real-time blood glucose levels being measured, to maintain blood glucose values in a target range. If the patient’s glucose level does not respond appropriately to the changes in insulin administration, the clinical staff is alerted.
Medical devices do not interact with each other autonomously (monitors, ventilator, IV pumps, etc.) Contextually rich data is difficult to acquire. Technologies and standards to reduce medical errors and improve efficiency have not been implemented in theater or at home.
In recent years, researchers have made progress developing PCLC devices for mechanical ventilation, anesthetic delivery applications, and so on. Despite these promises and potential benefits, there has been limited success in the translation of PCLC devices from bench to bedside. A key challenge to bringing PCLC devices to a level required for a clinical trials in humans is risk management to ensure device reliability and safety.
The United States Food and Drug Administration (FDA) classifies new hazards that might be introduced by PCLC devices into three categories. Besides clinical factors (e.g. sensor validity and reliability, inter- and intra-patient physiological variability) and usability/human factors (e.g. loss of situational awareness, errors, and lapses in operation), there are also engineering challenges including robustness, availability, and integration issues.
Security considerations for interconnected and dynamically composable medical systems are critical not only because laws such as HIPAA mandate it, but also because security attacks can have serious safety consequences for patients. The systems need to support automatic verification that the system components are being used as intended in the clinical context, that the components are authentic and authorized for use in that environment, that they have been approved by the hospital’s biomedical engineering staff and that they meet regulatory safety and effectiveness requirements.
For security and safety reasons, ICE F2761-09(2013) compliant medical devices never interact directly each other. All interaction is coordinated and controlled via the applications.
While transport-level security such as TLS provides reasonable protection against external attackers, they do not provide mechanisms for granular access control for data streams happening within the same protected link. Transport-level security is also not sufficiently flexible to balance between security and performance. Another issue with widely used transport-level security solutions is the lack of support for multicast.
Smart Cities: managing roads, public transport and commuting, autonomous and human driven vehicles, transportation tracking and control systems, route information systems, commuting and public transport, vehicles, on-demand transportation, self driving fleets, vehicle information and control systems, infrastructure sharing and payment system, smart parking, smart vehicle servicing, emergency monitoring, etc.
Transport companies: managing shipping, air cargo, train cargo and last mile delivery transportation systems including automated systems.
Commuters: Mobility as a service, booking systems, route planning, ride sharing, self-driving, self-servicing infrastructure, etc.
Provide common vocabulary for describing transport related services and solutions that can be reused across sub-categories, for easier interoperability between various systems owned by different stakeholders.
Thing models could be defined in many subdomains to help integration or interworking between multiple systems.
Transportation of goods can be optimized at global level by enhancing interoperability between vertical systems.
Home smart devices behave according to TV programs.
Hybridcast applications in TV emit information about TV programs for smart home devices. (Hybridcast is a Japanese Integrated Broadcast-Broadband system. Hybridcast applications are HTML5 applications that work on Hybridcast TV.)
Hybridcast Contact application receives the information and controlls smart home devices.
A digital twin is the virtual representation of a physical asset such as a machine, a vehicle, robot, sensor. Using a digital twin allows businesses to analyze their physical assets to troubleshoot in real time, predict future problems, minimize downtime, and perform simulations to create new business opportunities.
A digital twin may also be called a twin or a shadow. Digital twin technology may be referred to as device virtualization.
Digital twins can be located in the edge or in the cloud.
Various devices such as sensors, machines, vehicles, production lines, industry robots.
Digital twin platforms at the edge or in the cloud.
The virtual twin is a representation of a physical device or an asset. A virtual twin uses a model that contains observed and desired attribute values and also uses a semantic model of the behavior of the device.
Intermittent connectivity: An application may not be able to connect to the physical asset. In such a scenario, the application must be able to retrieve the last known status and to control the operation states of other assets.
Protocol abstraction: Typically, devices use a variety of protocols and methods to connect to the IoT network. From a users perspective this complexity should not affect other business applications such as an enterprise resource planning (ERP) application.
Business rules: The user can specify the normal operating range of a property in a semantic model. Business rules can be declaratively defined and actions can be automatically invoked in the edge or on the device.
Example: In a fleet of connected vehicles, the user monitors a collection of operating parameters, such as fuel level, location, speed and others. The semantics-based virtual twin model enables the user to decide whether the operating parameters are in normal range. In out of range conditions the user can take appropriate actions.
In a predictive twin, the digital twin implementation builds an analytical or statistical model for prediction by using a machine-learning technique. It need not involve the original designers of the machine. It is different from the physics-based models that are static, complex, do not adapt to a constantly changing environment, and can be created only by the original designers of the machine.
A data analyst can easily create a model based on external observation of a machine and can develop multiple models based on the user’s needs. The model considers the entire business scenario and generates contextual data for analysis and prediction.
When the model detects a future problem or a future state of a machine, the user can prevent or prepare for them. The user can use the predictive twin model to determine trends and patterns from the contextual machine data. The model helps to address business problems.
In twin projections, the predictions and the insights integrate with back-end business applications, making IoT an integral part of business processes. When projections are integrated with a business process, they can trigger a remedial business workflow.
Prediction data offers insights into the operations of machines. Projecting these insights into the back-end applications infrastructure enables business applications to interact with the IoT system and transform into intelligent systems. ^
There are multiple user scenarios that are addressed by this use case.
An example in the smart home environment is an automatic control lamps, air conditioners, heating, window blinds in a household based on sensor data, e.g. sunlight, human presence, calendar and clock, etc.
In an industrial environment individual actuators and production devices use different protocols. Examples include MQTT, OPC-UA, Modbus, Fieldbus, and others. Gathering data from these devices, e.g. to support digital twins or big data use cases requires an "Agent" to bridge across these protocols. To provide interoperability and to reduce implementation complexity of this agent a common set of (minimum and maximum) requirements need to be supported by all interoperating devices.
A smart city environment is similar to the industrial scenario in terms of device interoperability. Devices differ however, they include smart traffic lights, traffic monitoring, people counters, cameras.
Many of today's home IoT-enabled devices can provide similar functionality (e.g. audio/video playback), differing only in certain aspects of the user interface. This use case would allow continuous interaction with a specific application as the user moves from room to room, with the user interface switched automatically to the set of devices available in the user's present location.
On the other hand, some devices can have specific capabilities and user interfaces that can be used to add information to a larger context that can be reused by other applications and devices. This drives the need to spread an application across different devices to achieve a more user-adapted and meaningful interaction according to the context of use. Both aspects provide arguments for exploring use cases where applications use distributed multimodal interfaces.
Smart home functionality (window blinds, lights, air conditioning etc.) is controlled through a multimodal interface, composed from modalities built into the house itself (e.g. speech and gesture recognition) and those available on the user's personal devices (e.g. smartphone touchscreen). The system may automatically adapt to the preferences of a specific user, or enter a more complex interaction if multiple people are present.
Sensors built into various devices around the house can act as input modalities that feed information to the home and affect its behavior. For example, lights and temperature in the gym room can be adapted dynamically as workout intensity recorded by the fitness equipment increases. The same data can also increase or decrease volume and tempo of music tracks played by the user's mobile device or the home's media system.
OAuth 2.0 is an authorization protocol widely known for its usage across several web services. It enables third-party applications to obtain limited access to HTTP services on behalf of the resource owner or of itself. The protocol defines the following actors:
scope.These actors can be mapped to WoT entities:
TO DO: Check the OAuth 2.0 spec to determine exactly how Resource Owner is defined. Is it the actual owner of the resource (e.g. running the web server) or simply someone with the rights to access that resource?
The OAuth 2.0 protocol specifies an authorization layer that separates the client from the resource owner. The basic steps of this protocol are summarized in the following diagram:
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+Steps A and B defines what is known as authorization grant type or flow. What is important to realize here is that not all of these interactions are meant to take place over a network protocol. In some cases, interaction with with a human through a user interface may be intended. OAuth2.0 defines 4 basic flows plus an extension mechanism. The most common of which are:
codeimplicitpassword (of resource owner)client (credentials of the
client)In addition, a particular extension which is of
interest to IoT is the device flow.
Further information about the OAuth 2.0 protocol can be
found in IETF
RFC6749. In addition to the flows, OAuth 2.0 also
supports scopes. Scopes are identifiers which can be
attached to tokens. These can be used to limit
authorizations to particular roles or actions in an
API. Each token carries a set of scopes and these can
be checked when an interaction is attempted and access
can be denied if the token does not include a scope
required by the interaction. This document describes
relevant use cases for each of the OAuth 2.0
authorization flows.
For each OAuth 2.0 flow, there is a corresponding use case variant. We also include the experimental "device" flow for consideration.
code
A natural application of this protocol is when the end-user wants to interact directly with the consumed thing or to grant their authorization to a remote device. In fact from the RFC6749
This implies that the code flow can be only used when the resource owner interacts directly with the WoT consumer at least once. Typical scenarios are:
The following diagram shows the steps of the protocol adapted to WoT idioms and entities. In this scenario, the WoT Consumer has read the Thing Description of a Remote Device and want to access one of its WoT Affordances protected with OAuth 2.0 code flow.
+-----------+
+----------+ | |
| Resource | | Remote |
| Owner | | Device +<-------+
| | | | |
+----+-----+ +-----------+ |
^ |
| |
(B) |
+------------+ Client Identifier +---------------+ |
| ------(A)-- & Redirection URI ---->+ | |
| User- | | Authorization | |
| Agent ------(B)-- User authenticates --->+ Server | |
| | | | |
| ------(C)-- Authorization Code ---<+ | |
+---+----+---+ +---+------+----+ |
| | ^ v |
(A) (C) | | |
| | | | |
^ v | | |
+---+----+---+ | | |
| |>-+(D)-- Authorization Code ---------' | |
| WoT | & Redirection URI | |
| Consumer | | |
| |<-+(E)----- Access Token -------------------' |
+-----+------+ (w/ Optional Refresh Token) |
v |
| |
+-----------(F)----- Access WoT --------------------------------+
AffordanceNotice that steps (A), (B) and (C) are broken in two parts as they pass through the User-Agent.
device
The device flow (IETF RFC 8628) is
a variant of the code flow for browserless and
input-constrained devices. Similarly, to its
parent flow, it requires a close interaction
between the resource owner and the WoT consumer.
Therefore, the use cases for this flow are the same as
the code authorization grant but restricted to all
devices that do not have a rich means to interact with
the resource owner. However, differently from
code, RFC 8628 states explicitly that one
of the actors of the protocol is an end-user
interacting with a browser (even if section-6.2
briefly describes an authentication using a companion
app and BLE), as shown in the following (slightly
adapted) diagram:
+----------+
| |
| Remote |
| Device |
| |
+----^-----+
|
| (G) Access WoT Affordance
|
+----+-----+ +----------------+
| +>---(A)-- Client Identifier ---v+ |
| | | |
| +<---(B)-- Device Code, ---<+ |
| | User Code, | |
| WoT | & Verification URI | |
| Consumer | | |
| | [polling] | |
| +>---(E)-- Device Code --->+ |
| | & Client Identifier | |
| | | Authorization |
| +<---(F)-- Access Token ---<+ Server |
+-----+----+ (& Optional Refresh Token) | |
v | |
: | |
(C) User Code & Verification URI | |
: | |
^ | |
+-----+----+ | |
| End User | | |
| at +<---(D)-- End user reviews --->+ |
| Browser | authorization request | |
+----------+ +----------------+Notable mentions:
client credential
The Client Credentials grant type is used by clients to obtain an access token outside of the context of an end-user. From RFC6749:
Therefore the client credential grant can be used:
The Client Credentials flow is illustrated in the following diagram. Notice how the Resource Owner is not present.
+----------+
| |
| Remote |
| Device |
| |
+----^-----+
|
| (C) Access WoT Affordance
^
+----+-----+ +---------------+
| | | |
| +>--(A)- Client Authentication --->+ Authorization |
| WoT | | Server |
| Consumer +<--(B)---- Access Token ---------<+ |
| | | |
| | +---------------+
+----------+Comment: Usually client credentials are distributed using
an external service which is used by humans to register a
particular application. For example, the
npm cli has a companion dashboard where a
developer requests the generation of a token that is
then passed to the cli. The token is used to verify the
publishing process of npm packages in the
registry. Further examples are Docker cli and OpenId
Connect Client Credentials.
implicit
Deprecated From OAuth 2.0 Security Best Current Practice:
The RFC above suggests using code
flow with Proof Key for Code Exchange (PKCE)
instead.
The implicit flow was designed for public clients
typically implemented inside a browser (i.e. javascript
clients). As the code is a
redirection-based flow and it requires direct
interaction with the resource's owner user-agent.
However, it requires one less step to obtain a token as
it is returned directly in the authentication request
(see the diagram below).
Considering the WoT context this flow is not
particularly different from code grant and
it can be used in the same scenarios.
Comment: even if the implicit flow is
deprecated existing services may still using it.
+----------+
| Resource |
| Owner |
| |
+----+-----+
^
|
(B)
+----------+ Client Identifier +---------------+
| ------(A)-- & Redirection URI --->+ |
| User- | | Authorization |
| Agent ------(B)-- User authenticates -->+ Server |
| | | |
| +<---(C)--- Redirection URI ----<+ |
| | with Access Token +---------------+
| | in Fragment
| | +---------------+
| +----(D)--- Redirection URI ---->+ Web-Hosted |
| | without Fragment | Client |
| | | Resource |
| (F) +<---(E)------- Script ---------<+ |
| | +---------------+
+-+----+---+
| |
(A) (G) Access Token
| |
^ v
+-+----+---+ +----------+
| | | Remote |
| WoT +>---------(H)--Access WoT--------->+ Device |
| Consumer | Affordance | |
| | +----------+
+----------+resource owner password
Deprecated From OAuth 2.0 Security Best Current Practice:
For completeness the diagram flow is reported below.
+----------+
| Resource |
| Owner |
| |
+----+-----+
v
| Resource Owner
(A) Password Credentials
|
v
+-----+----+ +---------------+
| +>--(B)---- Resource Owner ------->+ |
| | Password Credentials | Authorization |
| WoT | | Server |
| Consumer +<--(C)---- Access Token ---------<+ |
| | (w/ Optional Refresh Token) | |
+-----+----+ +---------------+
|
| (D) Access WoT Affordance
|
+----v-----+
| Remote |
| Device |
| |
+----------+device flow.
Actors (represent a physical person or group of persons (company))
Manufacturer Service Provider Network Provider (potentially transparent for WoT use cases) Device Owner (User) Others?Roles:
Depending on the use case, an actor can have multiple roles, e.g. security maintainer. Roles can be delegated.This section defines the properties required in an abstract Web of Things (WoT) architecture.
There are a wide variety of physical device configurations for WoT implementations. The WoT abstract architecture should be able to be mapped to and cover all of the variations.
There are already many existing IoT solutions and ongoing IoT standardization activities in many business fields. The WoT should provide a bridge between these existing and developing IoT solutions and Web technology based on WoT concepts. The WoT should be upwards compatible with existing IoT solutions and current standards.
WoT must be able to scale for IoT solutions that incorporate thousands to millions of devices. These devices may offer the same capabilities even though they are created by different manufacturers.
WoT must provide interoperability across device and cloud manufacturers. It must be possible to take a WoT enabled device and connect it with a cloud service from different manufacturers out of the box.
The W3C WoT Thing Architecture [wot-architecture] defines the abstract architecture of Web of Things and illustrates it with various system topologies. This section describes technical requirements derived from the abstract architecture.
The use cases help to identify basic components such as devices and applications, that access and control those devices, proxies (i.e., gateways and edge devices) that are located between devices. An additional component useful in some use cases is the directory, which assists with discovery.
Those components are connected to the internet or field networks in offices, factories or other facilities. Note that all components involved may be connected to a single network in some cases, however, in general components can be deployed across multiple networks.
Access to devices is made using a description of their functions and interfaces. This description is called Thing Description (TD). A Thing Description includes a general metadata about the device, information models representing functions, transport protocol description for operating on information models, and security information.
General metadata contains device identifiers (URI), device information such as serial number, production date, location and other human readable information.
Information models defines device attributes, and represent device’s internal settings, control functionality and notification functionality. Devices that have the same functionality have the same information model regardless of the transport protocols used.
Because many systems based on Web of Things architecture are crossing system Domains, vocabularies and meta data (e.g. ontologies) used in information models should be commonly understood by involved parties. In addition to REST transports, PubSub transports are also supported.
Security information includes descriptions about authentication, authorization and secure communications. Devices are required to put TDs either inside them or at locations external to the devices, and to make TDs accessible so that other components can find and access them.
Applications need to be able to generate and use network and program interfaces based on metadata (descriptions).
Applications have to be able to obtain these descriptions through the network, therefore, need to be able to conduct search operations and acquire the necessary descriptions over the network.
Digital Twins need to generate program interfaces internally based on metadata (descriptions), and to represent virtual devices by using those program interfaces. A twin has to produce a description for the virtual device and make it externally available.
Identifiers of virtual devices need to be newly assigned, therefore, are different from the original devices. This makes sure that virtual devices and the original devices are clearly recognized as separate entities. Transport and security mechanisms and settings of the virtual devices can be different from original devices if necessary. Virtual devices are required to have descriptions provided either directly by the twin or to have them available at external locations. In either case it is required to make the descriptions available so that other components can find and use the devices associated with them.
For TDs of devices and virtual devices to be accessible from devices, applications and twins, there needs to be a common way to share TDs. Directories can serve this requirement by providing functionalities to allow devices and twins themselves automatically or the users to manually register the descriptions.
Descriptions of the devices and virtual devices need to be searchable by external entities. Directories have to be able to process search operations with search keys such as keywords from the general description in the device description or information models.
Security information related to devices and virtual devices needs to be described in device descriptions. This includes information for authentication/authorization and payload encryption.
WoT architecture should support multiple security mechanism commonly used in the web, such as Basic, Digest, Bearer and OAuth2.0.
The Web of Things primarily targets machine-to-machine communication. The humans involved are usually developers that integrate Things into applications. End-users will be faced with the front-ends of the applications or the physical user interfaces provided by devices themselves. Both are out of scope of the W3C WoT specifications. Given the focus on IoT instead of users, accessibility is not a direct requirement, and hence is not addressed within this specification.
There is, however, an interesting aspect on accessibility: Fulfilling the requirements above enables machines to understand the network-facing API of devices. This can be utilized by accessibility tools to provide user interfaces of different modality, thereby removing barriers to using physical devices and IoT-related applications.
Special thanks to all authors of use case descriptions (in alphabetical order) for their contributions to this document:
Many thanks to the W3C staff and all other active Participants of the W3C Web of Things Interest Group (WoT IG) and Working Group (WoT WG) for their support, technical input and suggestions that led to improvements to this document.
Special thanks to Kazuyuki Ashimura from the W3C for the continuous help and support of the work of the WoT Use Cases Task Force.
