mirror of
https://github.com/biscuit-auth/biscuit.git
synced 2024-10-06 02:27:33 +03:00
delegated, decentralized, capabilities based authorization token
1ced35062e
it does not change anything security wise, but it makes it more consistent with the rest |
||
---|---|---|
assets | ||
experimentations | ||
samples | ||
DESIGN.md | ||
LICENSE | ||
README.md | ||
schema.proto | ||
SECURITY.md | ||
SPECIFICATIONS.md | ||
SUMMARY.md |
Biscuit authentication/authorization token
Goals
Biscuit is an authentication and authorization token for microservices architectures with the following properties:
- distributed authentication: any node could validate the token only with public information;
- offline delegation: a new, valid token can be created from another one by attenuating its rights, by its holder, without communicating with anyone;
- capabilities based: authorization in microservices should be tied to rights related to the request, instead of relying to an identity that might not make sense to the verifier;
- flexible rights managements: the token uses a logic language to specify attenuation and add bounds on ambient data, it can model from small rules like expiration dates, to more flexible architectures like hierarchical roles and user delegation;
- small enough to fit anywhere (cookies, etc).
Non goals
- This is not a new authentication protocol. Biscuit tokens can be used as opaque tokens delivered by other systems such as OAuth.
- Revocation: Biscuit generates unique revocation identifiers for each token, and can provide expiration dates as well, but revocation requires external state management (revocation lists, databases, etc) that is outside of this specification.
Roadmap
You can follow the next steps on the roadmap.
Current status:
- the credential language, cryptographic primitives and serialization format are done
- we have implementations in Rust, Java, Go and Web Assembly (based on the Rust version)
- Currently deploying to real world use cases such as Apache Pulsar
- looking for an audit of the token's design, cryptographic primitives and implementations
How to help us?
- provide use cases that we can test the token on (some specific kind of caveats, auth delegation, etc)
- cryptographic design audit: we need reviews of algorithms, their usage and implementation in various languages
Project organisation
SUMMARY.md
: introduction to Biscuit from a user's perspectiveSPECIFICATIONS.md
is the description of Biscuit, its format and behaviourDESIGN.md
holds the initial ideas about what Biscuit should beexperimentations/
holds initial code examples for the crypographic schemes and caveat language.code/biscuit-poc/
contains an experimental version of Biscuit, built to explore API issues
License
Licensed under Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
logo by Mathias Adam
Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be licensed as above, without any additional terms or conditions.