This proposal has been approved and the Eclipse Biscuit project has been created.
Visit the project page for the latest information and development.

Go to Project

Eclipse Biscuit

Monday, July 22, 2024 - 05:28 by Clément Delafargue
Basics
This proposal is in the Project Proposal Phase (as defined in the Eclipse Development Process) and is written to declare its intent and scope. We solicit additional participation and input from the community. Please login and add your feedback in the comments section.
Project
Eclipse Biscuit
Parent Project
Eclipse Technology
Proposal State
Created
Background

Eclipse Biscuit provides flexible authorization in distributed systems. Inspired by macaroons, it improves on their limitations by providing public key cryptography and a structured authorization language while still providing offline attenuation.

Scope

Eclipse Biscuit provides an authorization token with decentralized verification, offline attenuation and strong security policy enforcement based on a logic language.

The project scope covers:

  • a specification for an authorization token, cryptographic signatures, and a logic language for authorization
  • a reference implementation in rust published as a library
  • implementations in other languages (java, haskell, python, javascript)
  • a CLI tool and web components
Description

Eclipse Biscuit provides an authorization token with decentralized verification, offline attenuation and strong security policy enforcement based on a logic language.

Licenses
Apache License, Version 2.0
Why Here?

Biscuit is a key component of 3DS Outscale's IAM and other european projects.

It needs to be backed by an european structure to sustain its growth.

It provides a state-of-the-art distributed authorization system that can be readily used by other solutions, in a polyglot environment.

Future Work

There are a few ongoing initiatives:

  • bring other libraries on par with the reference implementation (biscuit-java, biscuit-go)
  • incremental improvements on the authorization language
Project Scheduling

Biscuit is already published and used in production in different places.

An incremental update of the authorization language is planned for Q4 2024.
Support for more cryptographic primitives is ongoing in biscuit-rust and biscuit-java.
For Q4 2024 and 2025 we target improvements to the spec definition and its conformance suite, as well as making all libraries feature-complete.

People
Project Leads
Clément Delafargue
Committers
Geoffroy Couprie
Clément Delafargue
Cédric Corbière
Interested Parties

Outscale

Clever Cloud (production user of biscuit-java and biscuit-rust)

Source Code
Initial Contribution

 

Source Repository Type
GitHub