Expand description
§Hessra Token Authorization
Authorization token implementation for the Hessra authentication system.
This crate provides functionality for creating, verifying and attesting authorization tokens (biscuit tokens) used in the Hessra authentication system. It supports advanced features like service chain attestation and multi-party authorization.
§Features
- Token creation: Create authorization tokens with configurable time settings
- Token verification: Verify tokens using identity-based (requires subject) or capability-based (derives subject from token) modes
- Service chain attestation: Add service node attestations to tokens
- Multi-party authorization: Create tokens requiring multiple party attestations
- WASM compatibility: WIP WASM bindings for token verification
§Verification Modes
§Identity-Based Verification
Traditional verification requires an explicit subject (identity) parameter. The verifier checks if the token grants the specific subject access to the resource and operation.
§Capability-Based Verification
Capability-based verification does not require a subject parameter. Instead, the subject is derived from the token’s rights using a Datalog rule. This is useful for services that only care about whether a request has authorization for an action, not who is making the request. For example, a telemetry service might only need to verify write permission, regardless of the identity writing the data.
§Usage
use hessra_token_authz::{create_biscuit, verify_token_local, biscuit_key_from_string};
use hessra_token_core::{TokenTimeConfig, KeyPair, encode_token};
fn main() -> Result<(), hessra_token_core::TokenError> {
// Create a new token
let keypair = KeyPair::new();
let token = create_biscuit(
"user123".to_string(),
"resource456".to_string(),
"read".to_string(),
keypair,
TokenTimeConfig::default(),
).map_err(|e| hessra_token_core::TokenError::generic(e.to_string()))?;
// Verify the token
let token_string = encode_token(&token);
let public_key = biscuit_key_from_string("ed25519/01234567890abcdef".to_string())?;
verify_token_local(&token_string, public_key, "user123", "resource456", "read")?;
println!("Token creation and verification successful!");
Ok(())
}Structs§
- Authorization
Verifier - Builder for verifying Hessra authorization tokens with flexible configuration.
- Biscuit
- This structure represents a valid Biscuit token
- Hessra
Authorization - Builder for creating Hessra authorization tokens with flexible configuration.
- Service
Node - Token
Time Config - TokenTimeConfig allows control over token creation times and durations This is used to create tokens with custom start times and durations for testing purposes. In the future, this can be enhanced to support variable length tokens, such as long-lived bearer tokens.
Enums§
- KeyPair
- pair of cryptographic keys used to sign a token’s block
- Public
Key - the public part of a KeyPair
- Token
Error - Detailed error type for hessra-token operations with specific failure information
Functions§
- add_
multi_ party_ attestation - Add a multi-party attestation to a token
- add_
multi_ party_ attestation_ to_ token - Add a multi-party attestation to a base64-encoded token string
- add_
prefix_ restriction - Add a prefix restriction to a token
- add_
prefix_ restriction_ to_ token - Add a prefix restriction to a base64-encoded token string
- add_
service_ node_ attestation - Add a service node attestation to a token
- biscuit_
key_ from_ string - Takes a public key encoded as a string in the format “ed25519/…” or “secp256r1/…” and returns a PublicKey.
- create_
biscuit - Creates a new biscuit token with the specified subject and resource.
- create_
multi_ party_ biscuit - Creates a new biscuit token with multi-party attestations.
- create_
multi_ party_ biscuit_ with_ time - Creates a new biscuit token with multi-party attestations and custom time settings.
- create_
multi_ party_ token - Creates a new multi-party biscuit token with default time configuration.
- create_
multi_ party_ token_ with_ time - create_
raw_ multi_ party_ biscuit - Creates a new biscuit token with multi-party attestations.
- create_
service_ chain_ biscuit - Creates a new biscuit token with service chain attestations. Creates a new biscuit token with service chain attestations.
- create_
service_ chain_ token - Creates a service chain biscuit token with default time configuration.
- create_
service_ chain_ token_ with_ time - Creates a service chain biscuit token with custom time configuration.
- create_
token - Creates a biscuit token with default time configuration.
- create_
token_ with_ time - Creates a biscuit token with custom time configuration.
- decode_
token - Decode a URL-safe base64 encoded token string to binary
- encode_
token - Encode binary token data to URL-safe base64 string
- get_
authorization_ revocation_ id - Get the revocation ID for an authorization token
- get_
authorization_ revocation_ id_ from_ bytes - Get the revocation ID from raw token bytes
- parse_
token - Extracts and parses a Biscuit token from a URL-safe base64 string
- public_
key_ from_ pem_ file - verify_
biscuit_ local - Verifies a Biscuit authorization token locally without contacting the authorization server.
- verify_
capability_ biscuit_ local - Verifies a Biscuit authorization token based on capability (resource + operation) only.
- verify_
capability_ token_ local - Verifies a Biscuit authorization token based on capability (resource + operation) only.
- verify_
service_ chain_ biscuit_ local - verify_
service_ chain_ capability_ biscuit_ local - Binary version of
verify_service_chain_capability_token_local. - verify_
service_ chain_ capability_ token_ local - Verifies a service chain token based on capability without requiring subject.
- verify_
service_ chain_ token_ local - verify_
token_ local - Verifies a Biscuit authorization token locally without contacting the authorization server.