Join Beta Sign in to Console

Architecture

Introduction

Mekarge A3 is an Authorization Server designed to manage authentication, authorization, and access control for modern applications and services.

The system allows applications (Clients) to securely request access to protected services (Resources) on behalf of Users or backend systems.

The architectural model in Mekarge A3 is built around the following core concepts that define how applications, users, and protected services interact securely:

  • Environments isolate deployments and configurations.
  • Clients represent applications or application components requesting access to Resources.
  • Resources represent protected services.

This page introduces the architectural elements in depth.

Environment

An Environment in Mekarge A3 is a logical space used to define and isolate configuration objects such as Clients and Resources. This separation allows independent deployments for different systems or applications. For instance, a Client registered in one Environment cannot interact with Resources or other clients from another Environment, preventing accidental cross-environment access and ensuring clear security boundaries.

Each Environment is equipped with its own unique authorization and OpenID Connect endpoints.

For instance, separate Environments can be created per deployment stages, such as dev and prod.

Resource

Resources represent APIs, services, or systems that Clients can access. Access to Resources is protected and controlled by Mekarge A3. Mekarge A3 supports two primary Resource types, each designed for specific use cases in authentication workflows.

API Resource

API Resource represent traditional APIs or backend services protected by Mekarge A3. API Resources support Refresh Tokens, enabling certain Clients to obtain new access tokens without re-authenticating the end user.

MCP Server Resource

MCP Server Resources are designed for AI or model-based applications where access decisions may depend not only on scopes, but also on contextual information. For example, a Client may be allowed to access only specific document collections, tools, or workspaces exposed by an MCP Server.

Client

Clients are entities that request access to Resources on behalf of Users or backend services. Mekarge A3 is designed around Confidential Clients only. This means Clients are expected to securely store secrets or private keys. Public Clients are intentionally not supported. Mekarge A3 supports four main application types, each with specific features and requirements based on their intended use.

Machine-to-Machine (M2M) Application Clients

M2M application Clients are used for automated interactions between machines or services, without direct user involvement. These Clients can authenticate directly with the Mekarge A3 Authorization Server using Client Credentials Flow.

Web Application Clients

Web application Clients are part of an application that is accessed and interacted with via a web browser. This application is expected to use HTTP redirects to initiate Authorization Grant Flow towards Mekarge A3 Authorization Server.

All Permissions granted to this type of Client must have at least one Role attached.

These Clients can make use of features including PKCE, OpenID Connect, Refresh Tokens (Offline Access), and Remember Me functionality. Remember Me allows for persistent sessions, enhancing user convenience while maintaining security.

Native Application Clients

Native Application Clients are designed for applications running directly on user devices such as mobile phones. These Clients require device attestation through a separate Attestation Server in order to verify device authenticity and integrity. The Attestation Server is expected to use HTTP redirects to initiate Authorization Grant Flow towards Mekarge A3 Authorization Server.

All Permissions granted to this type of Client must have at least one Role and one Attestation Profile attached.

These Clients can make use of features including Device Attestation Enforcement, PKCE, OpenID Connect, and Refresh Tokens (Offline Access).

MCP Host Clients

MCP Host Clients are specifically designed for applications that interact with MCP Servers using Streamable HTTP as the transport layer. In addition to Permissions, they can be associated with Contexts providing additional access metadata for MCP Server Resources.

All Permissions granted to this type of Client must have at least one Role attached. Similarly, all Context Visibility granted to this type of Client must have at least one Role attached as well.

These Clients can make use of features including PKCE, OpenID Connect, Refresh Tokens (Offline Access), and Remember Me functionality. Remember Me allows for persistent sessions, enhancing user convenience while maintaining security.

User

A User represents the end user on whose behalf a Client requests access. Each User has a single User Group, which in turn can have multiple Roles attached. This structure allows for flexible access management, where Roles define the permissions and capabilities a User can have based on their group.

During the authentication process, Mekarge A3 Authorization Server fetches User credentials and information through Data Sources, where localized User claims can be dynamically retrieved based on the requested Locale.