2019-01-02 16:23:30 +03:00
# Biscuit authentication token
2019-01-18 18:52:11 +03:00
[](https://gitter.im/CleverCloud/biscuit?utm_source=badge& utm_medium=badge& utm_campaign=pr-badge& utm_content=badge)
2019-12-19 13:20:39 +03:00
< img src = "https://raw.githubusercontent.com/CleverCloud/biscuit/master/assets/brown.png" width = "200" >
2019-01-07 14:19:08 +03:00
2019-12-19 13:20:39 +03:00
## Goals
2019-01-07 14:19:08 +03:00
2019-01-02 16:23:30 +03:00
Biscuit is a (in development) authentication token for microservices
architectures with the following properties:
2019-01-08 23:44:23 +03:00
- distributed authorization: any node could validate the token only with public
information;
- offline delegation: a new, valid token can be created from another one by
attenuating its rights, by its holder, without communicating with anyone;
- capabilities based: authorization in microservices should be tied to rights
related to the request, instead of relying to an identity that might not make
sense to the verifier;
2019-02-26 18:59:59 +03:00
- flexible rights managements: the token uses a logic language to specify attenuation
and add bounds on ambient data;
2019-01-08 23:44:23 +03:00
- small enough to fit anywhere (cookies, etc).
2019-01-02 16:23:30 +03:00
2019-12-19 13:20:39 +03:00
## Non goals
2019-01-08 23:44:23 +03:00
- This is not a new authentication protocol. Biscuit tokens can be used as
opaque tokens delivered by other systems such as OAuth.
2019-12-19 13:20:39 +03:00
- Revocation: while tokens come with expiration dates and revocation ids,
revocation still requires external state management that we will not specify.
## Roadmap
2019-03-18 19:34:22 +03:00
2019-03-19 12:38:21 +03:00
You can follow the next steps on the [roadmap ](https://github.com/CleverCloud/biscuit/issues/12 ).
2019-03-18 19:34:22 +03:00
2019-12-19 13:20:39 +03:00
Current status:
- the credential language, cryptographic primitives and serialization format are done
- we have implementations in [Rust ](https://github.com/clevercloud/biscuit-rust ), [Java ](https://github.com/clevercloud/biscuit-java ) and [Web Assembly ](https://github.com/clevercloud/biscuit-wasm ) (based on the Rust version)
- Currently deploying to real world use cases such as [Apache Pulsar ](https://github.com/clevercloud/biscuit-pulsar )
- looking for an audit of the token's design, cryptographic primitives and implementations
## How to help us?
2019-03-18 19:34:22 +03:00
- provide use cases that we can test the token on (some specific kind of caveats, auth delegation, etc)
- cryptographic design audit: we need to decide on a cryptographic scheme that will be strong enough
2019-03-19 12:38:21 +03:00
2019-12-19 13:20:39 +03:00
## Project organisation
2019-03-19 12:38:21 +03:00
- `DESIGN.md` holds the current ideas about what Biscuit should be
2019-12-19 11:55:16 +03:00
- `SPECIFICATIONS.md` is the in progress description of Biscuit, its format and behaviour
2019-03-19 12:38:21 +03:00
- `experimentations/` holds code examples for the crypographic schemes and caveat language. `code/biscuit-poc/` contains an experimental version of Biscuit, built to explore API issues
2019-10-28 13:33:30 +03:00
## License
Licensed under Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0)
2019-12-19 13:20:39 +03:00
logo by [Mathias Adam ](http://www.madgraphism.com/ )
2019-10-28 13:33:30 +03:00
### Contribution
Unless you explicitly state otherwise, any contribution intentionally
submitted for inclusion in the work by you, as defined in the Apache-2.0
license, shall be licensed as above, without any additional terms or
conditions.
