hessra-token-identity
Identity token implementation for Hessra SDK.
This crate provides hierarchical, delegatable identity tokens using the Biscuit token format. Identity tokens serve as the authentication layer in the Hessra system, eliminating the need for mTLS certificates in most scenarios.
Features
- Hierarchical URI-based identities
- Secure delegation to sub-identities
- Time-based expiration controls
- Offline verification using public keys
- Prevention of prefix attacks through strict boundary checking
Identity Hierarchy
Identity tokens use URI-based identifiers with colon (:) delimiters for hierarchy:
urn:hessra:alice # Base identity
urn:hessra:alice:laptop # Delegated to device
urn:hessra:alice:laptop:chrome # Further delegated to application
Usage
use ;
use ;
// Create an identity token
let keypair = from_pem?;
let token = create_identity_token?;
// Verify an identity token
let public_key = from_pem?;
verify_identity_token?;
// Delegate to a sub-identity
let attenuated_token = add_identity_attenuation_to_token?;
Security Model
Delegation Restricts Usage
When a token is attenuated (delegated), it becomes MORE restrictive:
- Alice creates base token for
urn:hessra:alice - Alice attenuates it to
urn:hessra:alice:laptop - The attenuated token works ONLY for
urn:hessra:alice:laptopand its sub-hierarchies - Alice herself cannot use the attenuated token
All Checks Must Pass
Biscuit enforces that ALL checks in ALL blocks must pass:
- Base block: allows
aliceandalice:* - Attenuation block: allows
alice:laptopandalice:laptop:* - Result: only
alice:laptopandalice:laptop:*are authorized
Design Documentation
For detailed design information, see IDENTITY_TOKEN_DESIGN.md.
License
Apache-2.0