biscuit-rust VS Echo

> We have a post on this coming soon! The short version is that Polar is a logic language based on Prolog/Datalog/miniKanren. And logic languages are a particularly good fit for representing the branching conditional logic you often see in authorization configurations.

Ha, I've been playing around with Biscuits (https://www.biscuitsec.org/) and was writing up a blog post on using them in a git forge. When I saw the Polar data units described as "facts" and read your end to end example (https://www.osohq.com/docs/tutorials/end-to-end-example) I thought "Oh this looks very similar". I will say - I do like how Polar seems to type stuff and provide some concepts that Biscuits force you to build out on your own, that's pretty neat.

What is the proof of identity in Polar? Is it something like a token in Biscuits? I'm curious if you can do things like add caveats to reduce what the token is capable of as it gets handed off to different systems. I consider that one of the "killer use cases" of biscuits.

I ported biscuit-java to Kotlin for an internal project. In the course of doing so, I went from a naive superfan to a somewhat grizzled advocate. Here's my high level summary:

Why Biscuit instead of JWTs?

tl;dr, Biscuit (and Macaroons) can attenuate, JWTs can't.

Read: https://fly.io/blog/api-tokens-a-tedious-survey/

What does this mean? Let's say you're given a token to access System A and B whenever and however you want. You can create a new token from your token (attenuate) that only gives access to System A for the next 5 minutes.

Basically: attenuation gives a capability system.

Why Biscuit instead of Macaroons

tl;dr Biscuits are easier to understand (and implement) than Macaroons.

Watch: https://www.youtube.com/watch?v=MZFv62qz8R

Macaroons are clunky and hard to work with in practice. That's probably not a feature you want in your choice of token technology.

Biscuits contain simple facts and clear policies written in Datalog.

Why NOT Biscuits

Immaturity.

- AFAIK there is no compliance suite for all the Biscuit libraries linked https://www.biscuitsec.org/; and as such, unsurprisingly, there are corner case incompatibilities, especially in the authorization language parsers and Datalog expressions/operators.

- The Datalog runtime limits are user-defined. What is the maximum number of facts, application iterations, or even timeouts? That's up to you.

- Biscuit v2 (v3-4 in the proto) is the Official Latest Version. Some of the libraries support the older versions to varying degrees.. and the way that backwards compatibility is implemented gave me pause.

- Whole sections of the specification are `TODO`.

- The Datalog data types are bounded by the underlying protobuf definitions; and the libraries use the language native data types. There are casts and undefined behaviour at the extremes.

- Many of the libraries do little things like calling the equivalent of `Time.now()` internally. IMHO this sort thing should be stateless.

- There's heaps of tests, which is great! But, I didn't see any fuzz or property tests, which is less great.

Summary

Biscuits neatly package several simple and solid technologies: datalog, ed25519, protobufs. Once the ecosystem is mature, it'll be incredible.

> The point of JWT vs opaque tokens is that you can just inspect the token itself to derive permissions without hitting any sessions in DB, right?

As I understand it, de-centralized verification isn't a necessary characteristic of a JWT. There are token constructions that make that a priority, however[0].

[0]: https://www.biscuitsec.org/

a C compatible library thanks to cargo-c

I like the Datalog-based policy language used in Biscuits.

https://www.biscuitsec.org/

Has anyone tried https://www.biscuitsec.org/ ?

I haven't seen it much discussed, and seems to solve a lot of issues from JWT

Echo for the web server.

Echo - web framework for Go

The three behaviors I've described that we want all depend on two things, the first of which is "idiomatic error handling". We need to be able to simply return err in our handlers. Unfortunately, the standard libray doesn't give us this. But some third-party frameworks do. The most popular one I'm familiar with is labstack echo, whose HandlerFunc looks like this:

In this tutorial, I will be using the Echo framework to build the backend. You can learn more about Echo here.

____ __ / __/___/ / ___ / _// __/ _ \/ _ \ /___/\__/_//_/\___/ v4.11.1 High performance, minimalist Go web framework https://echo.labstack.com ____________________________________O/_______ O\ ⇨ http server started on [::]:8080

Some of the features: - ✅ Using Vertical Slice Architecture as a high level architecture - ✅ Using Event Driven Architecture on top of RabbitMQ Message Broker with a custom [Event Bus](pkg/messaging/bus/) - ✅ Using Event Sourcing in Audit Based services like [Orders Service](services/orders/) - ✅ Using CQRS Pattern and Mediator Patternon top of Go-MediatR library - ✅ Using Dependency Injection and Inversion of Controlon top of uber-go/fx library - ✅ Using RESTFul api with Echo framework and using swagger with swaggo/swag library - ✅ Using Postgres and EventStoreDB to write databases with fully supports transactions(ACID) - ✅ Using MongoDB and Elastic Search for read databases (NOSQL) - ✅ Using OpenTelemetry for collection Distributed Tracing with using Jaeger and Zipkin - ✅ Using OpenTelemetry for collection Metrics with using Prometheus and Grafana - ✅ Using Unit Test for testing small units with mocking dependent classes and using Mockery for mocking dependencies - ✅ Using End2End Test and Integration Test for testing features with all of their real dependeinces using docker containers (cleanup tests) and testcontainers-go library

If you come from NodeJS background, you may find Echo (https://echo.labstack.com) most similar to express.

Can I try to rewrite it using the following? I'll just hand you the code I don't care about credit, I just enjoy cleaning things up. - https://github.com/spf13/cobra - https://echo.labstack.com/ - SQLite - and not a bunch of if statements

Use a library for HTTP serving, such as Gin, Chi, or Echo. I personally use Chi, as it's just the right level of abstraction for how I like to work. Despite what others say here, don't try to re-implement everything in a modern serving library using the standard library.