RFC on Boulangerie Macaroons
156 views
Skip to first unread message
Tony Arcieri
Jan 9, 2016, 7:08:26 PM1/9/16
to maca...@googlegroups.com
I've taken into account some emerging conventions I've seen for my "opinionated" Macaroon library Boulangerie.
0029location https://mysupercoolsite.com
0076identifier v:0 uuid:4213ce9f-1149-44e8-a8cb-ff47d8aff25c kid:key1 sch:7dc57277e5b399ac@0 iat:2016-01-09T23:52:16Z
0026cid expires: 2016-01-09T23:52:16Z
0029cid not-before: 2016-01-09T23:52:21Z
002fsignature [...]
--
Here is an example Boulangerie Macaroon after Base64 decoding:
0076identifier v:0 uuid:4213ce9f-1149-44e8-a8cb-ff47d8aff25c kid:key1 sch:7dc57277e5b399ac@0 iat:2016-01-09T23:52:16Z
0026cid expires: 2016-01-09T23:52:16Z
0029cid not-before: 2016-01-09T23:52:21Z
002fsignature [...]
Most of the noteworthy stuff is probably in how it handles identifiers, specifically in the way it supports typed schemas ala protobufs. As a quick overview of the fields in the header:
- v: version of the format (presently 0, for "experimental". I will continue to make arbitrary changes)
- uuid: randomly generated UUID for this Macaroon
- kid: key identifier (to enable key rotation)
- sch: schema ID (ala protos). The "@0" indicates version 0 of this schema
- iat: time at which this Macaroon was issued (purely advisory)
Some notable changes in the caveat format:
- I adopted "expires" and "not-before" as replacements for "time-before" and "time-after" as these seem to be more standard. However, I wonder about just adopting the JOSE claim names "exp" and "nbf" for brevity...
- I have added a ":" character after the caveat labels, reminiscent of an HTTP header
Thoughts?
Tony Arcieri
Tony Arcieri
Jan 9, 2016, 7:10:03 PM1/9/16
to maca...@googlegroups.com
Just noticed a bug in the spec where "not-before" was placed 5 seconds after "expires". Oops ;) I'll get around to verification soon...
--
Tony Arcieri
Evan Cordell
Jan 12, 2016, 2:26:31 PM1/12/16
to Macaroons
I like where this is heading; seems useful to define some common language like this (while still always having the option to extend with domain-specific caveats).
As for the identifier header: at this point I wonder about just defining it to be a JWT ;)
Your boulangerie work (especially the "schema" definitions) reminds me of a little experiment I wrote a while ago to use protobuf as a serialization format: https://github.com/ecordell/pymacaroons/compare/protobuf (I mention it mostly for comparison's sake - in very unscientific tests I found protobuf to be slower than the de-facto binary standard for macaroons)
Tony Arcieri
Jan 12, 2016, 3:06:24 PM1/12/16
to maca...@googlegroups.com
On Tue, Jan 12, 2016 at 11:26 AM, Evan Cordell <cordel...@gmail.com> wrote:
As for the identifier header: at this point I wonder about just defining it to be a JWT ;)
I think using JWT claim names is fine, but I wouldn't want to adopt a JWT wholesale: it adds a bunch of redundant boilerplate and all of the ugly complexity of JWS for authenticating the tokens when we're already in an authenticated context.
Tony Arcieri
Reply all
Reply to author
Forward
0 new messages