S3 Integration

The HexaEight Token Server can be integrated with S3 storage to enable multiple Token Server instances to operate in different locations while sharing the same storage. This configuration is essential for achieving high availability and scalability, allowing multiple servers to handle authentication for a large user base.

Required Environment Variables

To configure the Token Server to use S3, the following environment variables are required:

HEXAEIGHT_S3_ACCESS_KEY=<accesskey>
HEXAEIGHT_S3_BUCKET=<bucketname>
HEXAEIGHT_S3_SECRET_KEY=<secretkey>
HEXAEIGHT_S3_URL=https://s3.amazonaws.com`

Note: HexaEight Token Server is compatible with any S3 provider, such as Amazon S3 or Cloudflare R2. The above example is for AWS S3.

Steps for S3 Integration

  1. Set up Policies:

    • If using Just Authentication, configure the captchapolicy.csv file to allow authentication only for the specified email addresses.
    • If using HexaEight Sessions, additional policies must be configured as outlined in the sample policies section.
    • Generate a Time Code: Generate a synchronization time code for the Token Server by running the following command:

    $./HexaEight_Token_Issuer.exe -t

    This will prompt you to generate a new time code:

    Enter Synchronization Time Code: [Press Enter To Generate a New Time Code]
    Generating New Time Code...
    New Time Code: 28768365
    Attempting to Set This Token Server To Use This Time Code... Succeeded.

  1. Push Master Policy and Time Code to S3: After configuring the policies and generating the time code, push the master policy and time code to S3 using the following command:

    ./HexaEight_Token_Issuer --saveconfig

    The expected output will look something like this:

    - Model Configuration Saved Successfully. User Policy Configuration Could Not Be Saved - Skipping File Resource Policy Configuration Could Not Be Saved - Skipping File Client App Policy Configuration Could Not Be Saved - Skipping File Client Scopes Policy Configuration Could Not Be Saved - Skipping File - Captcha Model Configuration Saved Successfully. - Captcha Policy Configuration Saved Successfully. - Client ID Configuration Saved Successfully.`

  2. Obtain HexaEight Server Name: To find the server name, use the following command:

    ./HexaEight_Token_Issuer -o

    Example output:

    CPU Licensing Enabled: false Current Resource Owner: auth2.hexaeight.com

    Alternatively, you can view the server name by visiting the following URLs in a browser:

    http(s)://<tokenservername>/api/resourceinfo http://<IPAddressofTokenServer>/api/resourceinfo

  3. Verify S3 Master Files: In your S3 bucket, you should see the following master files (in this example, auth2 refers to the Token Server name):

    auth2.hexaeight.com_clientids auth2.hexaeight.com_cmodelfile auth2.hexaeight.com_cpolicyfile auth2.hexaeight.com_modelfile

  4. Run Multiple Token Servers: Once the master policy is saved to S3, you can configure multiple Token Servers with the same S3 environment variables. On startup, the Token Servers will check for a master policy in S3, download it if present, and use it for authentication and authorization.

Security Considerations

Ensure that the permissions for the current directory are secure. Remove all access except for the service owner to maintain security.