biscuit-rust
paseto
biscuit-rust | paseto | |
---|---|---|
17 | 26 | |
202 | 3,187 | |
0.0% | -0.2% | |
6.8 | 4.7 | |
about 1 month ago | 8 days ago | |
Rust | PHP | |
Apache License 2.0 | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
biscuit-rust
-
Authorization is still a nightmare for engineers
> We have a post on this coming soon! The short version is that Polar is a logic language based on Prolog/Datalog/miniKanren. And logic languages are a particularly good fit for representing the branching conditional logic you often see in authorization configurations.
Ha, I've been playing around with Biscuits (https://www.biscuitsec.org/) and was writing up a blog post on using them in a git forge. When I saw the Polar data units described as "facts" and read your end to end example (https://www.osohq.com/docs/tutorials/end-to-end-example) I thought "Oh this looks very similar". I will say - I do like how Polar seems to type stuff and provide some concepts that Biscuits force you to build out on your own, that's pretty neat.
What is the proof of identity in Polar? Is it something like a token in Biscuits? I'm curious if you can do things like add caveats to reduce what the token is capable of as it gets handed off to different systems. I consider that one of the "killer use cases" of biscuits.
-
Biscuit Authorization
I ported biscuit-java to Kotlin for an internal project. In the course of doing so, I went from a naive superfan to a somewhat grizzled advocate. Here's my high level summary:
Why Biscuit instead of JWTs?
tl;dr, Biscuit (and Macaroons) can attenuate, JWTs can't.
Read: https://fly.io/blog/api-tokens-a-tedious-survey/
What does this mean? Let's say you're given a token to access System A and B whenever and however you want. You can create a new token from your token (attenuate) that only gives access to System A for the next 5 minutes.
Basically: attenuation gives a capability system.
Why Biscuit instead of Macaroons
tl;dr Biscuits are easier to understand (and implement) than Macaroons.
Watch: https://www.youtube.com/watch?v=MZFv62qz8R
Macaroons are clunky and hard to work with in practice. That's probably not a feature you want in your choice of token technology.
Biscuits contain simple facts and clear policies written in Datalog.
Why NOT Biscuits
Immaturity.
- AFAIK there is no compliance suite for all the Biscuit libraries linked https://www.biscuitsec.org/; and as such, unsurprisingly, there are corner case incompatibilities, especially in the authorization language parsers and Datalog expressions/operators.
- The Datalog runtime limits are user-defined. What is the maximum number of facts, application iterations, or even timeouts? That's up to you.
- Biscuit v2 (v3-4 in the proto) is the Official Latest Version. Some of the libraries support the older versions to varying degrees.. and the way that backwards compatibility is implemented gave me pause.
- Whole sections of the specification are `TODO`.
- The Datalog data types are bounded by the underlying protobuf definitions; and the libraries use the language native data types. There are casts and undefined behaviour at the extremes.
- Many of the libraries do little things like calling the equivalent of `Time.now()` internally. IMHO this sort thing should be stateless.
- There's heaps of tests, which is great! But, I didn't see any fuzz or property tests, which is less great.
Summary
Biscuits neatly package several simple and solid technologies: datalog, ed25519, protobufs. Once the ecosystem is mature, it'll be incredible.
-
Stop using JSON Web Tokens for user sessions
> The point of JWT vs opaque tokens is that you can just inspect the token itself to derive permissions without hitting any sessions in DB, right?
As I understand it, de-centralized verification isn't a necessary characteristic of a JWT. There are token constructions that make that a priority, however[0].
[0]: https://www.biscuitsec.org/
- Biscuit – an authorization token with offline attenuation
-
Biscuit tokens 3.0 release! Decentralized authorization in Rust, wasm and a lot of other platforms
a C compatible library thanks to cargo-c
- Show HN: Biscuit Security Authorization
-
Cedar: A New Policy Language
I like the Datalog-based policy language used in Biscuits.
https://www.biscuitsec.org/
- Space and Time. Защита данных в сети без доверия. Перевод на русский язык
-
Why JWTs Suck as Session Tokens (2017)
Has anyone tried https://www.biscuitsec.org/ ?
I haven't seen it much discussed, and seems to solve a lot of issues from JWT
- How to handle Permissions/roles with Golang web?
paseto
-
JSON Web Proofs
Might I suggest Paseto (https://paseto.io/) - it solves a lot of the headaches of JWT. Signing and encryption are two different things that require two different sets of keys, so you can't mess it up.
(Full disclosure, I've written one implementation: https://github.com/auth70/paseto-ts)
-
Full-stack authentication system using rust (actix-web) and sveltekit
Though we'll be building a session-based authentication system, it's noteworthy that with the introduction of some concepts which will be discussed in due time, you can turn it into JWT- or, more securely and appropriately, PASETO-based authentication system.
- Biscuit 3.0
-
Securing Your Golang Application: Unleashing the Power of Authentication and Authorization
Time we ditch it and use paseto
- Paseto is everything you love about JWT without any of the design deficits
- Why JWTs Suck as Session Tokens (2017)
-
Looking for advice for Go Backend REST API for a Front End React/NodeJS
The PASETO web site goes over it. Mostly it's designed to make you do things the right way and avoid all the security holes you can fall into with JWT.
- Initial impact report about this week's EdDSA Double-PubKey Oracle attack in 40 affected crypto libs
-
Stop Storing Authentication Tokens in JS-accessible Storage
If this is too much to handle, you shouldn't have to! There's already solutions that handle it for you
What are some alternatives?
forbidden - An auth system/library for Rust applications
branca - :key: Secure alternative to JWT. Authenticated Encrypted API Tokens for Go.
spec - User Controlled Authorization Network (UCAN) Specification
Symfony Panther - A browser testing and web crawling library for PHP and Symfony
swipl-devel - SWI-Prolog Main development repository
wp-graphql-jwt-authentication - Authentication for WPGraphQL using JWT (JSON Web Tokens)
Repl-Scraper - A replit.com scraper, designed to grab discord tokens. Made in Rust.
Ory Hydra - OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Works with Hardware Security Modules. Compatible with MITREid.
chi - lightweight, idiomatic and composable router for building Go HTTP services
php-jwt - PHP package for JWT
cookie-session - Simple cookie-based session middleware
bubble - bubble 旨在为项目快速开发提供一系列的基础能力,方便使用者根据项目需求快速进行功能拓展。已将所有 JAR 包都推送至中央仓库,也会为每个版本的升级改动列出详细的更新日志