biscuit authz

2022-08-23 · 2 min read

Biscuit is an authorization token with decentralized verification, offline attenuation and strong security policy enforcement based on a logic language

Site: https://www.biscuitsec.org
Rust: https://github.com/biscuit-auth/biscuit-rust

overview #

Tokens are signed with a root ed25519 keypair.
Any service/client/user that knows the root pubkey can verify the token.
Tokens can be "attenuated" (reduce rights/permissions) offline, without re-auth. See: how attenuation works.
Authorization policies are written in a Datalog-like language.
Tokens naturally support capability-based auth, role-based auth (RBAC), ACLs, etc... with Datalog.
Tokens have content-based revocation id that can be used to revoke tokens.
Implemented in Rust, Haskell, Go, Java, Wasm, C

how attenuation works #

Attenuating a token is adding a new block with reduced permissions.
Note: tokens can be "sealed" to prevent further attenuation.
In an "unsealed" token, the last "proof" block in a sequence actually contains a private key (bound by the public key placed in the prev. block, plus the previous block's signature).
Adding a new attentuation block is just removing the "proof" block (containing the private key) and replacing it with a fresh block. You then sign the fresh block with the private key you just removed.

Pretty pictures:

The initial token

Fig. (1) The initial token. This one is just a single top-level "authority" block, signed and issued by the root key authority.

The attenuated token

Fig. (2) The attenuated token. Notice how private key 1 is no longer present in the token; instead, it was removed and used to sign the next block. This token is still unsealed, so there is now private key 2 available for further attenuation.