2020-10-28 13:47:31 +03:00
# Biscuit authentication/authorization token
2019-01-02 16:23:30 +03:00
2019-01-18 18:52:11 +03:00
[](https://gitter.im/CleverCloud/biscuit?utm_source=badge& utm_medium=badge& utm_campaign=pr-badge& utm_content=badge)
2019-12-19 13:20:39 +03:00
< img src = "https://raw.githubusercontent.com/CleverCloud/biscuit/master/assets/brown.png" width = "200" >
2019-01-07 14:19:08 +03:00
2019-12-19 13:20:39 +03:00
## Goals
2019-01-07 14:19:08 +03:00
2020-10-28 13:47:31 +03:00
Biscuit is an authentication and authorization token for microservices
2019-01-02 16:23:30 +03:00
architectures with the following properties:
2020-10-28 13:47:31 +03:00
- distributed authentication: any node could validate the token only with public
2019-01-08 23:44:23 +03:00
information;
- offline delegation: a new, valid token can be created from another one by
attenuating its rights, by its holder, without communicating with anyone;
- capabilities based: authorization in microservices should be tied to rights
related to the request, instead of relying to an identity that might not make
sense to the verifier;
2019-02-26 18:59:59 +03:00
- flexible rights managements: the token uses a logic language to specify attenuation
and add bounds on ambient data;
2019-01-08 23:44:23 +03:00
- small enough to fit anywhere (cookies, etc).
2019-01-02 16:23:30 +03:00
2019-12-19 13:20:39 +03:00
## Non goals
2019-01-08 23:44:23 +03:00
- This is not a new authentication protocol. Biscuit tokens can be used as
opaque tokens delivered by other systems such as OAuth.
2021-02-26 12:46:27 +03:00
- Revocation: Biscuit generates unique revocation identifiers for each token,
and can provide expiration dates as well, but revocation requires external
state management (revocation lists, databases, etc) that is outside of this
specification.
2019-12-19 13:20:39 +03:00
## Roadmap
2019-03-18 19:34:22 +03:00
2019-03-19 12:38:21 +03:00
You can follow the next steps on the [roadmap ](https://github.com/CleverCloud/biscuit/issues/12 ).
2019-03-18 19:34:22 +03:00
2019-12-19 13:20:39 +03:00
Current status:
- the credential language, cryptographic primitives and serialization format are done
2020-11-17 18:21:39 +03:00
- we have implementations in [Rust ](https://github.com/clevercloud/biscuit-rust ), [Java ](https://github.com/clevercloud/biscuit-java ), [Go ](https://github.com/flynn/biscuit-go ) and [Web Assembly ](https://github.com/clevercloud/biscuit-wasm ) (based on the Rust version)
2019-12-19 13:20:39 +03:00
- Currently deploying to real world use cases such as [Apache Pulsar ](https://github.com/clevercloud/biscuit-pulsar )
- looking for an audit of the token's design, cryptographic primitives and implementations
## How to help us?
2019-03-18 19:34:22 +03:00
- provide use cases that we can test the token on (some specific kind of caveats, auth delegation, etc)
- cryptographic design audit: we need to decide on a cryptographic scheme that will be strong enough
2019-03-19 12:38:21 +03:00
2019-12-19 13:20:39 +03:00
## Project organisation
2020-11-17 18:21:39 +03:00
- `SUMMARY.md` : introduction to Biscuit from a user's perspective
2019-03-19 12:38:21 +03:00
- `DESIGN.md` holds the current ideas about what Biscuit should be
2020-11-17 18:21:39 +03:00
- `SPECIFICATIONS.md` is the description of Biscuit, its format and behaviour
2019-03-19 12:38:21 +03:00
- `experimentations/` holds code examples for the crypographic schemes and caveat language. `code/biscuit-poc/` contains an experimental version of Biscuit, built to explore API issues
2019-10-28 13:33:30 +03:00
## License
Licensed under Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0)
2019-12-19 13:20:39 +03:00
logo by [Mathias Adam ](http://www.madgraphism.com/ )
2019-10-28 13:33:30 +03:00
### Contribution
Unless you explicitly state otherwise, any contribution intentionally
submitted for inclusion in the work by you, as defined in the Apache-2.0
license, shall be licensed as above, without any additional terms or
conditions.
