Exacta Maestro™ StandardAgent Authentication
Exacta Maestro™ is capable of handling authentication and authorization for all communication between Exacta Maestro™ client and the actual StandardAgent API, regardless of whether that server is hosted on an individual agent or managing a fleet of agents. This is done using the OAuth 2.0 Client Credentials flow, sometimes called two-legged OAuth.
Overview of Client Credentials OAuth Flow
The client credentials flow is used for server to server communication. The Identity Provider (Azure AD, Okta, Bastian Federation, Bastian.Maestro.StandardAgent.Emulator.Identity.WebService, etc) is configured to know about the target application (StandardAgent API(s)) as well as any potential clients (Exacta Maestro™). The StandardAgent API should be secured to only allow communication with clients that provide the properly scoped security token. The client resolves a security token from the Identity Provider and passes it in the HTTP headers of all communication to the StandardAgent API.
sequenceDiagram
participant Exacta Maestro™
actor Agent 1
actor Agent 2
participant StandardAgent Server
participant Identity Provider
note over Exacta Maestro™, Identity Provider: Client Authentication
opt Startup and when JWT about to expire
Exacta Maestro™ ->>+ Identity Provider: Request Token using Client ID & Secret
Identity Provider -->>- Exacta Maestro™: JWT for requested scopes
end
note over Exacta Maestro™, Identity Provider: Agent Communication (Direct to Agent)
Exacta Maestro™ ->>+ Agent 1: Call WebAPI, passing JWT Authorization header
Agent 1 -->>- Exacta Maestro™: Response
Exacta Maestro™ ->>+ Agent 2: Call WebAPI, passing JWT Authorization header
Agent 2 -->>- Exacta Maestro™: Response
note over Exacta Maestro™, Identity Provider: Agent Communication (Intermediate Server)
Exacta Maestro™ ->>+ StandardAgent Server: Call WebAPI, passing JWT Authorization header
StandardAgent Server -->>- Exacta Maestro™: Response