Have something to say?

Tell us how we could make the product more useful to you.

Authorization w/ Macaroons or Biscuits

Macaroons & Biscuits are two related ways to implement fine-grained authorization at scale. Macaroons work by granting an unforgable token that can be delegated and "attenuated" (i.e. further restricted) without action by the server. This can extend to third-party services as well. Biscuits work similarly, but use more public key crypto infrastructure rather than the HMACs that Macaroons use, allowing for the private keys to not be widely distributed. Biscuits also specify a Datalog implementation to specify attenuation logic in tokens that can simply be executed by the server. It would be nice to have recipes for both of these since they would be useful for handling requests in a Macaroon- or Biscuit-oriented API.

Andrew Elgert 9 months ago