2022-08-23 · 2 min read
Biscuit is an authorization token with decentralized verification, offline attenuation and strong security policy enforcement based on a logic language
- Tokens are signed with a root ed25519 keypair.
- Any service/client/user that knows the root pubkey can verify the token.
- Tokens can be "attenuated" (reduce rights/permissions) offline, without re-auth. See: how attenuation works.
- Authorization policies are written in a Datalog-like language.
- Tokens naturally support capability-based auth, role-based auth (RBAC), ACLs, etc... with Datalog.
- Tokens have content-based revocation id that can be used to revoke tokens.
- Implemented in Rust, Haskell, Go, Java, Wasm, C
how attenuation works #
- Attenuating a token is adding a new block with reduced permissions.
- Note: tokens can be "sealed" to prevent further attenuation.
- In an "unsealed" token, the last "proof" block in a sequence actually contains a private key (bound by the public key placed in the prev. block, plus the previous block's signature).
- Adding a new attentuation block is just removing the "proof" block (containing the private key) and replacing it with a fresh block. You then sign the fresh block with the private key you just removed.
- Fig. (1) The initial token. This one is just a single top-level "authority" block, signed and issued by the root key authority.
- Fig. (2) The attenuated token. Notice how private key 1 is no longer present in the token; instead, it was removed and used to sign the next block. This token is still unsealed, so there is now private key 2 available for further attenuation.