In an Internet of Things (IoT) environment, users have to request access to execute desired actions on a device, such as the control of a smart lock. However, due to the coarse-grained authorization model commonly used in current IoT environments, a user would be granted all the capabilities of a device after the authorization rather than specific capabilities he needs, which is known as the overprivilege problem. Another problem occurs when the user tries to access the device. Under the current authorization mechanism, whenever the user wants to control the device, the device would send user's credentials and the action to its remote server for authentication. Therefore, the device server would know exactly who and when the action is executed and the privacy of the user is leaked. In this paper, we propose a new authorization mechanism for devices in the Internet of Things environment which supports fine-grained permission authorization and protect the privacy of the user simultaneously. In our design, we leverage the properties of OAuth and Direct Anonymous Attestation (DAA) to improve current authorization models. We also build a prototype of our design to evaluate the security properties and compare the performance with the normal authorization scenario. We evaluate our scheme in a realistic scenario and conduct a case study of the Wi-Fi access authorization mechanism. Through the analysis and the experiment result, we show that our proposed solution can overcome both the overprivilege and privacy problem simultaneously with reasonable performance overhead.