Authorization w/ Macaroons or Biscuits

Macaroons & Biscuits are two related ways to implement fine-grained authorization at scale. Macaroons work by granting an unforgable token that can be delegated and "attenuated" (i.e. further restricted) without action by the server. This can extend to third-party services as well.

Biscuits work similarly, but use more public key crypto infrastructure rather than the HMACs that Macaroons use, allowing for the private keys to not be widely distributed. Biscuits also specify a Datalog implementation to specify attenuation logic in tokens that can simply be executed by the server.

It would be nice to have recipes for both of these since they would be useful for handling requests in a Macaroon- or Biscuit-oriented API.

Please authenticate to join the conversation.

Upvoters
Status

In Review

Board

💡 Feature Request

Date

9 months ago

Author

Andrew Elgert

Subscribe to post

Get notified by email when there are changes.