Various systems and methods for user-authorized onboarding of a device using a public authorization service (310) are described herein. In an example, a 3-way authorization protocol is used to coordinate device onboarding among several Internet of Things (IoT) Fog users (e.g., devices in a common network topology or domain) with principles of least privilege. For instance, respective onboarding steps may be assigned for performance by different Fog ‘owners’ such as respective users and clients (350A, 350B, . . . , 350N). Each owner may rely on a separate authorization protocol or user interaction to be notified of and to give approval for the specific onboarding action(s) assigned. Further techniques for implementation and tracking such onboarding actions as part of an IoT network service are also disclosed.