biscuit authz

2022-08-23 ยท 2 min read

    Biscuit is an authorization token with decentralized verification, offline attenuation and strong security policy enforcement based on a logic language

    overview #

    • Tokens are signed with a root ed25519 keypair.
    • Any service/client/user that knows the root pubkey can verify the token.
    • Tokens can be "attenuated" (reduce rights/permissions) offline, without re-auth. See: how attenuation works.
    • Authorization policies are written in a Datalog-like language.
    • Tokens naturally support capability-based auth, role-based auth (RBAC), ACLs, etc... with Datalog.
    • Tokens have content-based revocation id that can be used to revoke tokens.
    • Implemented in Rust, Haskell, Go, Java, Wasm, C

    how attenuation works #

    • Attenuating a token is adding a new block with reduced permissions.
    • Note: tokens can be "sealed" to prevent further attenuation.
    • In an "unsealed" token, the last "proof" block in a sequence actually contains a private key (bound by the public key placed in the prev. block, plus the previous block's signature).
    • Adding a new attentuation block is just removing the "proof" block (containing the private key) and replacing it with a fresh block. You then sign the fresh block with the private key you just removed.

    Pretty pictures:

    The initial token

    • Fig. (1) The initial token. This one is just a single top-level "authority" block, signed and issued by the root key authority.

    The attenuated token

    • Fig. (2) The attenuated token. Notice how private key 1 is no longer present in the token; instead, it was removed and used to sign the next block. This token is still unsealed, so there is now private key 2 available for further attenuation.