Decentralized verification
Biscuit tokens are signed with public key cryptography: any application knowing the public key can verify the token
Offline attenuation
If you hold a valid token, you can generate a new one with less rights, like restricting write access or adding an expiration date
Datalog policies
Authorization policies are written in a logic language. They can be provided by the application, or transported by the token (attenuation)
Capabilities or Access control lists
Biscuit is naturally suited for capabilities based authorization, by carrying a token customized for the request. But you can also provide verification side ACLs as Datalog
Revocation
All tokens come with unique revocation identifiers, that can be used to reject that token and all the tokens attenuated from it
Portable
Biscuit is implemented in Rust, Haskell, Go, Java, WebAssembly, C… All you need for a new implementation is a Protobuf generator and Ed25519 signing. The specification comes with a list of predefined test cases
>>> Read full article>>>
Copyright for syndicated content belongs to the linked Source : Hacker News – https://www.biscuitsec.org/
