Biscuit authentication/authorization token

Join the Matrix chat

<img src="https://raw.githubusercontent.com/biscuit-auth/biscuit/main/assets/logo-black-white-bg.png" width="200">

https://www.biscuitsec.org

Version

The stable version of the specification is at SPECIFICATIONS.md. The currently in development version is on the dev branch.

Motivation, goals, non-goals

See https://www.biscuitsec.org/docs/why-biscuit/.

Try it out

Biscuit tokens can be created, attenuated, inspected and authorized from your browser: https://www.biscuitsec.org/docs/tooling/

Roadmap

You can follow the next steps on the roadmap.

Current status:

• the credentials language, cryptographic primitives and serialization format are done
• we have implementations for biscuits v3.x in
  • Rust
  • Web Assembly (based on the Rust version)
  • Python (based on the Rust version)
  • Haskell
• we have implementations for biscuits v1 in
  • Java (implementation of v3.3 is in progress)
  • Go
  • .Net
• a website with documentation and an interactive playground is live at https://biscuitsec.org
• Currently deploying to real world use cases such as Apache Pulsar at Clever Cloud
• looking for an audit of the token's design, cryptographic primitives and implementations

Feature support

The different implementations are following the specification closely, but parts of it may take some time to be fully implemented, so here is the current list of supported features per version:

• ✅ full support
• 🚧 partial support
• ❌ not supported yet

| | Rust | Haskell | Java | Go | Python | C# | |--------------------|------|---------|------|----|--------|----| |v3.0 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |v3.1 | ✅ | ✅ | 🚧 | ❌ | ✅ | ✅ | | scopes | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | | check all | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | | bitwise operations | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | | snapshots | ✅ | ❌ | 🚧 | ❌ | ✅ | ❌ | |v3.2 | ✅ | ✅ | 🚧 | ❌ | ✅ | ✅ | | third party blocks | ✅ | ✅ | 🚧 | ❌ | 🚧 | ✅ | |v3.3 | ✅ | ✅ | 🚧 | ❌ | ✅ | ✅ |

How to help us?

• provide use cases that we can test the token on (some specific kind of checks, auth delegation, etc)
• cryptographic design audit: we need reviews of algorithms, their usage and implementation in various languages
• add support for biscuit v3.2 to java and go implementations

Project organisation

• SPECIFICATIONS.md is the description of Biscuit, its format and behaviour
• biscuit-web-key/ is a specification for publishing biscuit public keys
• DESIGN.md holds the initial ideas about what Biscuit should be
• experimentations/ holds initial code examples for the crypographic schemes and caveat language. code/biscuit-poc/ contains an experimental version of Biscuit, built to explore API issues

License

Licensed under Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)

logo by Julien Richard

originally created at Clever Cloud

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be licensed as above, without any additional terms or conditions.