biscuit-rust icon indicating copy to clipboard operation
biscuit-rust copied to clipboard
verified publisher icon biscuit-auth

Guide request: simple authentication with biscuit

Open woile opened this issue 3 years ago • 2 comments

Hello people, I would like to request a guide on a simple authentication service (à la django). I want to try biscuit in a personal project, but being no expert in security I fear doing something wrong. I think it would also be good for adoption to have a simple example for people to tinker with it, the RBAC guide seems to be useful for a bigger project.

Some doubts I have (sorry for my ignorance):

  • can I use a biscuit token as part of the confirmation email after registration?
  • in the datalog lang, would the roles replace something like the more traditional groups? Could we have some kind of comparison? what would be a simple role to start with and how to extend it later?
  • if started with a monolith, how easy is to transition to microservices with biscuit? how would it work?

Let me know what you think and thanks in advance! Regards

woile avatar Mar 25 '22 12:03 woile

I have opened an issue on the website repo.

To give you a short answer:

  • you can make a biscuit that just contains user(<user_id>); as a first step; that would be like a signed cookie
  • you can embed a biscuit in an email yes. Typically you would embed restrictions in the token to mitigate leaks (a TTL check, restrictions on operations, a nonce check, etc)
  • role typically refers to something that relates to authorization, it's a way to group several rights in a a context-dependent or evolutive fashion: a role might give different rights on different services; a role might evolve over time
  • biscuit can make moving to a μServices architecture easy if you have a good separation between the part that emits the token and the parts that read it in your monolith. Public-key crypto makes it easy to craft the token in one place, and have other services check it with just the public key. Datalog is also a good fit for making consistent auth policies even in a ployglot setting. Biscuit has been clearly designed with experience from μServices, but it can still be useful in a monolith (easy to review auth policies, tokens restrictions)

we're available on https://matrix.to/#/!MXwhyfCFLLCfHSYJxg:matrix.org if you want to discuss it further

divarvel avatar Apr 09 '22 13:04 divarvel

Thank you! I'll give it a try!

woile avatar Apr 09 '22 14:04 woile

closing this as a duplicate of https://github.com/biscuit-auth/website/issues/41

divarvel avatar Apr 17 '23 07:04 divarvel