biscuit authz

2022-08-23 · 2 min read

Biscuit is an authorization token with decentralized verification, offline attenuation and strong security policy enforcement based on a logic language

• Site: https://www.biscuitsec.org
• Rust: https://github.com/biscuit-auth/biscuit-rust

overview #

• Tokens are signed with a root ed25519 keypair.
• Any service/client/user that knows the root pubkey can verify the token.
• Tokens can be "attenuated" (reduce rights/permissions) offline, without re-auth. See: how attenuation works.
• Authorization policies are written in a Datalog-like language.
• Tokens naturally support capability-based auth, role-based auth (RBAC), ACLs, etc... with Datalog.
• Tokens have content-based revocation id that can be used to revoke tokens.
• Implemented in Rust, Haskell, Go, Java, Wasm, C

how attenuation works #

• Attenuating a token is adding a new block with reduced permissions.
• Note: tokens can be "sealed" to prevent further attenuation.
• In an "unsealed" token, the last "proof" block in a sequence actually contains a private key (bound by the public key placed in the prev. block, plus the previous block's signature).
• Adding a new attentuation block is just removing the "proof" block (containing the private key) and replacing it with a fresh block. You then sign the fresh block with the private key you just removed.

Pretty pictures:

• Fig. (1) The initial token. This one is just a single top-level "authority" block, signed and issued by the root key authority.

• Fig. (2) The attenuated token. Notice how private key 1 is no longer present in the token; instead, it was removed and used to sign the next block. This token is still unsealed, so there is now private key 2 available for further attenuation.