Powered by

# Resource Authorization

In the previous section, we discussed how HexaEight Token Server facilitates authorization in client applications by issuing client tokens only to authorized users or resource servers.

In this section, we will explore authorization in scenarios where resources need to be protected without involving client applications. If you have only resource servers that use HexaEight's machine-to-machine communication, you can implement your own authorization service, such as a side-car authorization service. This service provides authorization logic to machine resources and uses machine tokens for direct communication and data exchange.

In this technique, HexaEight-Sessions or HexaEight Token Server does not play any role in the authorization of machine-to-machine communication between the resource servers, as the authorization logic is handled by the side-car authorization service as shown below

%%{init: { 'theme': 'forest' } }%%
erDiagram
    Resource-Server-A ||--|| Resource-Server-B : Communicates-Directly
    Resource-Server-A {
	Uses Machine-Tokens-For-Communication
	Implements Its-Own-Authorization
	Uses Side-Car-Authorization-Server
    }
    Resource-Server-B {
	Uses Machine-Tokens-For-Communication
	Implements Its-Own-Authorization
	Uses Side-Car-Authorization-Server
    }
    Resource-Server-A ||--|| Side-Car-Authorization-A : Uses
    Resource-Server-B ||--|| Side-Car-Authorization-B : Uses

In machine-to-machine communication, you can also use HexaEight Token Server to provide authorization logic by creating a First Party Client Application and configuring the Token server to allow only authorized Resource Servers to interact with it. This enables the resource servers to obtain client tokens from the HexaEight Token Server via HexaEight-Sessions for direct interaction as shown below.

%%{init: { 'theme': 'forest' } }%%
erDiagram
    HexaEight-Token-Server-R ||--|| Resource-Application-R : Authorizes
    HexaEight-Token-Server-R {
	Registers Resource-Application-R
	Issues Client-Identifier-To-Resource-Application-R
	Issues Source-Identifiers-To-HexaEight-Sessions
	Issues Client-Tokens-To-Only-Authorized-HexaEight-Sessions
    }
    Resource-Application-R {
	Fetches Client-Tokens
    }
    Resource-Application-R ||--|| HexaEight-Session-A : Fetch-Client-Tokens
    HexaEight-Session-A ||--|| Resource-Server-A  : Uses
    Resource-Server-A {
	Create HexaEight-Session-A
    }

    Resource-Application-R ||--|| HexaEight-Session-B : Fetch-Client-Tokens
    HexaEight-Session-B ||--|| Resource-Server-B  : Uses
    Resource-Server-B {
	Create HexaEight-Session-B
    }

    HexaEight-Session-A ||--|| HexaEight-Session-B : Directly-Communicates

To create HexaEight Sessions on Resource Servers, a middleware needs to be deployed that enables the creation of HexaEight Sessions inside resource servers. The middleware allows Resource Servers to create an HexaEight Session, along with a Source-Identifier, from the HexaEight Token Server. Additionally, the middleware also allows the HexaEight Session to use Client-Tokens to interact with other users and resources inside First-Party and Third-Party Applications.

%%{init: { 'theme': 'forest' } }%%
erDiagram
    HexaEight-Token-Server-R ||--|| Resource-Application-R : Authorizes
    HexaEight-Token-Server-R {
	Registers Resource-Application-R
	Issues Client-Identifier-To-Resource-Application-R
	Issues Source-Identifiers-To-HexaEight-Sessions
	Issues Client-Tokens-To-Only-Authorized-HexaEight-Sessions
    }
    Resource-Application-R {
	Fetches Client-Tokens
    }
    Resource-Application-R ||--|| HexaEight-Session-A : Fetch-Client-Tokens
    HexaEight-Session-A ||--|| Resource-Server-A-Middleware  : Creates
    Resource-Server-A-Middleware ||--|| Resource-Server-A  : Uses
    Resource-Server-A {
	Create HexaEight-Session-A
	Uses HexaEight-Middleware
    }

    Resource-Application-R ||--|| HexaEight-Session-B : Fetch-Client-Tokens
    HexaEight-Session-B ||--|| Resource-Server-B-Middleware  : Creates

    Resource-Server-B-Middleware ||--|| Resource-Server-B  : Uses
    Resource-Server-B {
	Create HexaEight-Session-B
	Uses HexaEight-Middleware
    }
    HexaEight-Session-A ||--|| HexaEight-Session-B : Directly-Communicates
Summary

Resource Authorization can be implemented

  • Using Direct Machine-To-Machine Communication using own Authorization server.
  • Using HexaEight Sessions inside Resource Servers using HexaEight Sessions by fetching Client Tokens from HexaEight Token Server which manages the authorization policies.
  • HexaEight-Middleware allows creation of HexaEight Sessions in Resource Servers

© Copyright 2023. HexaEight.com All rights reserved.