A delegated authorization solution for smart-city mobile applications

An increasingly popular scenario for Smart Cities is the one in which mobile apps attempt to access resources (e.g., open data about public transportation or e-government services) made available by city authorities through the use of Application Programming Interfaces (APIs). There is a growing awareness of the benefits of using APIs to foster civic engagement through a more efficient and personalized delivery of government services, and as an enabler of a new wave of innovation contributing to a more automated and sustainable city functioning. Despite these advantages, there are several factors hindering the exploitation of APIs. One of the most important technical barriers to the creation of mobile apps following the recurrent pattern of consuming data (e.g., selected parts of open data or user profiles) stored by other applications or services is the lack of a secure delegation mechanism. In this paper, we discuss the main security issues underlying the design of such a delegation mechanism for Smart City mobile apps and present a solution-based on OAuth 2.0-overcoming the security problems. An implementation of the solution has been integrated in the Smart Community Platform for developing open services in the Trentino region and is being used daily by up to 13,000 users. To date, no security issue has been reported.