Biscuit: pubkey signed token with offline attenuation and Datalog authz policies
2021-07-06, 15:20–15:55, Zoom room

Biscuit is a new kind of authorization token that merges the public key signatures of JWT, with offline attenuation and caveats from macaroons. It comes with a Datalog based language to express policies, that can be provided by the token or the server side.
This feature set unlocks powerful use cases like multitenant systems that need flexible authorization policies, or chains of microservices requests with locked down bearer tokens

R&D and security at Clever Cloud. I mess with Rust, parsers and cryptography