Resource Authorization

In the previous section, we discussed how HexaEight Token Server facilitates authorization in client applications by issuing client tokens only to authorized users or resource servers.

In this section, we will explore authorization in scenarios where resources need to be protected without involving client applications. If you have only resource servers that use HexaEight's machine-to-machine communication, you can implement your own authorization service, such as a side-car authorization service. This service provides authorization logic to machine resources and uses machine tokens for direct communication and data exchange.

In this technique, HexaEight-Sessions or HexaEight Token Server does not play any role in the authorization of machine-to-machine communication between the resource servers, as the authorization logic is handled by the side-car authorization service as shown below

%%{init: { 'theme': 'forest' } }%% erDiagram Resource-Server-A ||--|| Resource-Server-B : Communicates-Directly Resource-Server-A { Uses Machine-Tokens-For-Communication Implements Its-Own-Authorization Uses Side-Car-Authorization-Server } Resource-Server-B { Uses Machine-Tokens-For-Communication Implements Its-Own-Authorization Uses Side-Car-Authorization-Server } Resource-Server-A ||--|| Side-Car-Authorization-A : Uses Resource-Server-B ||--|| Side-Car-Authorization-B : Uses

:::

In machine-to-machine communication, you can also use HexaEight Token Server to provide authorization logic by creating a First Party Client Application and configuring the Token server to allow only authorized Resource Servers to interact with it. This enables the resource servers to obtain client tokens from the HexaEight Token Server via HexaEight-Sessions for direct interaction as shown below.

%%{init: { 'theme': 'forest' } }%% erDiagram HexaEight-Token-Server-R ||--|| Resource-Application-R : Authorizes HexaEight-Token-Server-R { Registers Resource-Application-R Issues Client-Identifier-To-Resource-Application-R Issues Source-Identifiers-To-HexaEight-Sessions Issues Client-Tokens-To-Only-Authorized-HexaEight-Sessions } Resource-Application-R { Fetches Client-Tokens } Resource-Application-R ||--|| HexaEight-Session-A : Fetch-Client-Tokens HexaEight-Session-A ||--|| Resource-Server-A : Uses Resource-Server-A { Create HexaEight-Session-A } Resource-Application-R ||--|| HexaEight-Session-B : Fetch-Client-Tokens HexaEight-Session-B ||--|| Resource-Server-B : Uses Resource-Server-B { Create HexaEight-Session-B } HexaEight-Session-A ||--|| HexaEight-Session-B : Directly-Communicates

HexaEight Middleware

To create HexaEight Sessions on Resource Servers, a middleware needs to be deployed that enables the creation of HexaEight Sessions inside resource servers. The middleware allows Resource Servers to create an HexaEight Session, along with a Source-Identifier, from the HexaEight Token Server. Additionally, the middleware also allows the HexaEight Session to use Client-Tokens to interact with other users and resources inside First-Party and Third-Party Applications.

%%{init: { 'theme': 'forest' } }%% erDiagram HexaEight-Token-Server-R ||--|| Resource-Application-R : Authorizes HexaEight-Token-Server-R { Registers Resource-Application-R Issues Client-Identifier-To-Resource-Application-R Issues Source-Identifiers-To-HexaEight-Sessions Issues Client-Tokens-To-Only-Authorized-HexaEight-Sessions } Resource-Application-R { Fetches Client-Tokens } Resource-Application-R ||--|| HexaEight-Session-A : Fetch-Client-Tokens HexaEight-Session-A ||--|| Resource-Server-A-Middleware : Creates Resource-Server-A-Middleware ||--|| Resource-Server-A : Uses Resource-Server-A { Create HexaEight-Session-A Uses HexaEight-Middleware } Resource-Application-R ||--|| HexaEight-Session-B : Fetch-Client-Tokens HexaEight-Session-B ||--|| Resource-Server-B-Middleware : Creates Resource-Server-B-Middleware ||--|| Resource-Server-B : Uses Resource-Server-B { Create HexaEight-Session-B Uses HexaEight-Middleware } HexaEight-Session-A ||--|| HexaEight-Session-B : Directly-Communicates
  • HexaEight Platform uses Perfect-Forward-Secracy to ensure maximum security.
  • Machine-tokens, which are issued by HexaEight Platform, are rotated every 15 minutes to prevent security breaches.
  • Client-tokens, on the other hand, are issued by HexaEight Platform and are rotated every 30 days automatically by the Token Server for enhanced security.

Summary

Resource Authorization can be implemented

  • Using Direct Machine-To-Machine Communication using own Authorization server.
  • Using HexaEight Sessions inside Resource Servers using HexaEight Sessions by fetching Client Tokens from HexaEight Token Server which manages the authorization policies.
  • HexaEight-Middleware allows creation of HexaEight Sessions in Resource Servers