{"id":25738217,"url":"https://github.com/eclipse-biscuit/biscuit-rust","last_synced_at":"2026-01-15T22:17:58.742Z","repository":{"id":39915278,"uuid":"178894114","full_name":"eclipse-biscuit/biscuit-rust","owner":"eclipse-biscuit","description":"Rust implementation of the Biscuit authorization token","archived":false,"fork":false,"pushed_at":"2025-09-24T16:27:25.000Z","size":2236,"stargazers_count":227,"open_issues_count":28,"forks_count":39,"subscribers_count":11,"default_branch":"main","last_synced_at":"2026-01-13T04:11:38.339Z","etag":null,"topics":["authentication","authorization","token"],"latest_commit_sha":null,"homepage":"https://www.biscuitsec.org","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eclipse-biscuit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":null,"code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-04-01T15:36:43.000Z","updated_at":"2025-12-18T21:35:19.000Z","dependencies_parsed_at":"2023-10-11T18:18:08.928Z","dependency_job_id":"105a4684-0f64-41ff-9521-66a2453d4707","html_url":"https://github.com/eclipse-biscuit/biscuit-rust","commit_stats":{"total_commits":505,"total_committers":21,"mean_commits":"24.047619047619047","dds":"0.37623762376237624","last_synced_commit":"52fa17815d5819714c2f3ed122f5e8bbda815ba8"},"previous_names":["eclipse-biscuit/biscuit-rust","biscuit-auth/biscuit-rust","clevercloud/biscuit-rust"],"tags_count":59,"template":false,"template_full_name":null,"purl":"pkg:github/eclipse-biscuit/biscuit-rust","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eclipse-biscuit%2Fbiscuit-rust","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eclipse-biscuit%2Fbiscuit-rust/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eclipse-biscuit%2Fbiscuit-rust/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eclipse-biscuit%2Fbiscuit-rust/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eclipse-biscuit","download_url":"https://codeload.github.com/eclipse-biscuit/biscuit-rust/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eclipse-biscuit%2Fbiscuit-rust/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28472625,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-15T22:13:38.078Z","status":"ssl_error","status_checked_at":"2026-01-15T22:12:11.737Z","response_time":62,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authorization","token"],"created_at":"2025-02-26T07:10:44.805Z","updated_at":"2026-01-15T22:17:58.729Z","avatar_url":"https://github.com/eclipse-biscuit.png","language":"Rust","funding_links":[],"categories":["Rust"],"sub_categories":[],"readme":"# Eclipse Biscuit authentication and authorization token\n\nEclipse Biscuit is an authorization token for microservices architectures with the following properties:\n\n- decentralized validation: any node could validate the token only with public information;\n- offline delegation: a new, valid token can be created from another one by attenuating its rights, by its holder, without communicating with anyone;\n- capabilities based: authorization in microservices should be tied to rights related to the request, instead of relying to an identity that might not make sense to the authorizer;\n- flexible rights managements: the token uses a logic language to specify attenuation and add bounds on ambient data;\n- small enough to fit anywhere (cookies, etc).\n\nNon goals:\n\n- This is not a new authentication protocol. Biscuit tokens can be used as opaque tokens delivered by other systems such as OAuth.\n- Revocation: while tokens come with expiration dates, revocation requires external state management.\n\n# Usage\n\nIn this example we will see how we can create a token, add some checks, serialize and deserialize a token, append more checks, and validate those checks in the context of a request:\n\n```rust\nextern crate biscuit_auth as biscuit;\n\nuse biscuit::{KeyPair, Biscuit, error};\n\nfn main() -\u003e Result\u003c(), error::Token\u003e {\n  // let's generate the root key pair. The root public key will be necessary\n  // to verify the token\n  let root = KeyPair::new();\n  let public_key = root.public();\n\n  // creating a first token\n  let token1 = {\n    // the first block of the token is the authority block. It contains global\n    // information like which operation types are available\n    let biscuit = biscuit!(r#\"\n          right(\"/a/file1.txt\", \"read\");\n          right(\"/a/file1.txt\", \"write\");\n          right(\"/a/file2.txt\", \"read\");\n          right(\"/b/file3.txt\", \"write\");\n    \"#).build(\u0026root)?; // the first block is signed\n\n    println!(\"biscuit (authority): {}\", biscuit);\n\n    biscuit.to_vec()?\n  };\n\n  // this token is only 258 bytes, holding the authority data and the signature\n  assert_eq!(token1.len(), 258);\n\n  // now let's add some restrictions to this token\n  // we want to limit access to `/a/file1.txt` and to read operations\n  let token2 = {\n    // the token is deserialized, the signature is verified\n    let deser = Biscuit::from(\u0026token1, root.public())?;\n\n    // biscuits can be attenuated by appending checks\n    let biscuit = deser.append(block!(r#\"\n      // checks are implemented as logic rules. If the rule produces something,\n      // the check is successful\n      // here we verify the presence of a `resource` fact with a path set to \"/a/file1.txt\"\n      // and a read operation\n      check if resource(\"/a/file1.txt\"), operation(\"read\");\n    \"#));\n    println!(\"biscuit (authority): {}\", biscuit);\n\n    biscuit.to_vec()?\n  };\n\n  // this new token fits in 400 bytes\n  assert_eq!(token2.len(), 400);\n\n  /************** VERIFICATION ****************/\n\n  // let's deserialize the token:\n  let biscuit2 = Biscuit::from(\u0026token2, public_key)?;\n\n  // let's define 3 authorizers (corresponding to 3 different requests):\n  // - one for /a/file1.txt and a read operation\n  // - one for /a/file1.txt and a write operation\n  // - one for /a/file2.txt and a read operation\n\n  let v1 = authorizer!(r#\"\n     resource(\"/a/file1.txt\");\n     operation(\"read\");\n     \n     // an authorizer can come with allow/deny policies. While checks are all tested\n     // and must all succeed, allow/deny policies are tried one by one in order,\n     // and we stop verification on the first that matches\n     //\n     // here we will check that the token has the corresponding right\n     allow if right(\"/a/file1.txt\", \"read\");\n     // explicit catch-all deny. here it is not necessary: if no policy\n     // matches, a default deny applies\n     deny if true;\n  \"#)\n  .build(\u0026biscuit2)?;\n\n  let mut v2 = authorizer!(r#\"\n     resource(\"/a/file1.txt\");\n     operation(\"write\");\n     allow if right(\"/a/file1.txt\", \"write\");\n  \"#)\n  .build(\u0026biscuit2)?;\n  \n  let mut v3 = authorizer!(r#\"\n     resource(\"/a/file2.txt\");\n     operation(\"read\");\n     allow if right(\"/a/file2.txt\", \"read\");\n  \"#)\n  .build(\u0026biscuit2)?;\n\n  // the token restricts to read operations:\n  assert!(v1.authorize().is_ok());\n  // the second authorizer requested a read operation\n  assert!(v2.authorize().is_err());\n  // the third authorizer requests /a/file2.txt\n  assert!(v3.authorize().is_err());\n\n  Ok(())\n}\n```\n\n## Concepts\n\n### blocks\n\nA Biscuit token is made with a list of blocks defining data and checks that must\nbe validated upon reception with a request. Any failed check will invalidate the\nentire token.\n\nIf you hold a valid token, it is possible to add a new block to restrict further\nthe token, like limiting access to one particular resource, or adding a short\nexpiration date. This will generate a new, valid token. This can be done offline,\nwithout asking the original token creator.\n\nOn the other hand, if a block is modified or removed, the token will fail the\ncryptographic signature verification.\n\n### Cryptography\n\nBiscuit tokens get inspiration from macaroons and JSON Web Tokens, reproducing useful features from both:\n\n- offline delegation like macaroons\n- based on public key cryptography like JWT, so any application holding the root public key can verify a token (while macaroons are based on a root shared secret)\n\n### A logic language for authorization policies: Datalog\n\nWe rely on a modified version of Datalog, that can represent complex behaviours in a compact form, and add flexible constraints on data.\n\nHere are examples of checks that can be implemented with that language:\n\n- valid if the requested resource is \"file.txt\" and the operation is \"read\"\n- valid if current time is before January 1st 2030, 00h00mn00s UTC\n- source IP is in set [1.2.3.4, 5.6.7.8]\n- resource matches prefix \"/home/biscuit/data/\"\n- But it can also combine into more complex patterns, like: right is read if user has read or user is member of organisation and organisation has read right or other user with read right has delegated to user.\n\nLike Datalog, this language is based around facts and rules, but with some slight modifications:\n\n- Blocks can provide facts but they are not visible from other blocks. They contain rules that use facts from the current block, or from the authority and ambient contexts. If all rules in a block succeed, the block is validated.\n\nA check rule requires the presence of one or more facts, and can have additional expressions on these facts. It is possible to create rules like these ones:\n\n- check if resource(\"file1\")\n- check if resource($path) \u0026 owner(\"user1\", $path) // the $path represents a variable. We look for a set of paths where $path resolves to the same value everywhere\n- check if time($t), $t \u003c 2019-02-05T23:00:00Z // expiration date\n- check if application($app), operation($op), user($user), right(\"app\", $app, $op), owner($user, $app), credit($user, $amount), $amount \u003e 0 // verifies that the user owns the applications, the application has the right on the operation, there's a credit information for the operation, and the credit is larger than 0\n\n### Symbols and symbol tables\nTo reduce the size of tokens, the format holds a symbol table containing strings. Any string is then serialized as an index into this table.\n\nThey can be used for pretty printing of a fact or rule. As an example, with a table containing [\"resource\", \"operation\", \"read\", \"rule1\", \"file.txt\"], we could have the following rule: `#4 \u003c- #0(#5) \u0026 #1(#2)` that would be printed as `rule1 \u003c- resource(\"file.txt\"), operation(\"read\")`\n\nbiscuit implementations come with a default symbol table to avoid transmitting frequent values with every token.\n\n# C bindings\n\nYou can find the C bindings and documentation in the [`biscuit-capi`](./biscuit-capi/README.md) crate.\n\n## License\n\nLicensed under Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0)\n\n### Contribution\n\nUnless you explicitly state otherwise, any contribution intentionally\nsubmitted for inclusion in the work by you, as defined in the Apache-2.0\nlicense, shall be licensed as above, without any additional terms or\nconditions.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feclipse-biscuit%2Fbiscuit-rust","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feclipse-biscuit%2Fbiscuit-rust","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feclipse-biscuit%2Fbiscuit-rust/lists"}