Macaroon-enabled OAuth
166 views
Skip to first unread message
Neil Madden
Jul 29, 2020, 2:34:29 PM7/29/20
to Macaroons
My employer is shortly to release a new version of their (closed-source) IAM product suite. One of the new features is support for issuing macaroon access and refresh tokens for OAuth2. I wrote a bit about it here: https://neilmadden.blog/2020/07/29/least-privilege-with-less-effort-macaroon-access-tokens-in-am-7-0/
This blog post is a bit light on technical details. There’s some interesting aspects involved in how it all hooks together, so I’ll try to write up a more detailed look at some point if anyone is interested.
Cheers,
Neil
Akram Shehadi
Jul 30, 2020, 8:26:40 AM7/30/20
to Macaroons
Interesting article. Thanks for sharing.
Out of curiosity, did you roll out your own Macaroons library or used one of the available ones? last time I checked some years ago I wasn't entierly sure there were production-ready ones.
Neil Madden
Jul 30, 2020, 9:34:53 AM7/30/20
to maca...@googlegroups.com
We wrote our own. Partly this was due to concerns over quality, and partly because the way this integrates into OAuth doesn’t fit well with the interface of existing libraries.
We wanted to make the use of macaroons largely transparent for existing OAuth deployments, so the token introspection endpoint returns a response that aggregates information from the token adjusted by any caveats. For example, the “scope” field returned is the intersection of the original token scope and any scope caveats. The way this works is the validation method in our library returns a list of unsatisfied caveats (including from discharge macaroons). We then run through those picking out the ones we know (scope, exp, etc) and finding the “minimum” according to some specific criteria (intersection for scope and audience, earliest for expiry time, etc). Any unrecognised caveats get output as an array of strings on the end of the response.
I’ll try and write up a more detailed description when I get a chance.
Unfortunately our library is not open source for now, but hopefully that will change.
Neil
> On 30 Jul 2020, at 13:26, Akram Shehadi <akram....@gmail.com> wrote:
>
> Interesting article. Thanks for sharing.
> You received this message because you are subscribed to the Google Groups "Macaroons" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to macaroons+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/macaroons/44e9448e-5e11-4bbc-bd62-e2c621e6bb7co%40googlegroups.com.
We wanted to make the use of macaroons largely transparent for existing OAuth deployments, so the token introspection endpoint returns a response that aggregates information from the token adjusted by any caveats. For example, the “scope” field returned is the intersection of the original token scope and any scope caveats. The way this works is the validation method in our library returns a list of unsatisfied caveats (including from discharge macaroons). We then run through those picking out the ones we know (scope, exp, etc) and finding the “minimum” according to some specific criteria (intersection for scope and audience, earliest for expiry time, etc). Any unrecognised caveats get output as an array of strings on the end of the response.
I’ll try and write up a more detailed description when I get a chance.
Unfortunately our library is not open source for now, but hopefully that will change.
Neil
> On 30 Jul 2020, at 13:26, Akram Shehadi <akram....@gmail.com> wrote:
>
> Interesting article. Thanks for sharing.
>
> Out of curiosity, did you roll out your own Macaroons library or used one of the available ones? last time I checked some years ago I wasn't entierly sure there were production-ready ones.
>
> --
> Out of curiosity, did you roll out your own Macaroons library or used one of the available ones? last time I checked some years ago I wasn't entierly sure there were production-ready ones.
>
> You received this message because you are subscribed to the Google Groups "Macaroons" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to macaroons+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/macaroons/44e9448e-5e11-4bbc-bd62-e2c621e6bb7co%40googlegroups.com.
Akram Shehadi
Jul 30, 2020, 9:29:49 PM7/30/20
to Macaroons
Thanks for the details!
I'd love to implement a Macaroons-based authz schema where I work, but it's hard to convince them to invest in developing our own library since that's not our core competency.
If you ever open source the library you created, I will be eager to check it out.
Neil Madden
Sep 10, 2020, 3:35:02 AM9/10/20
to Macaroons
I finally got around to writing part 2 about implementing transactional authZ with third-party caveats. https://neilmadden.blog/2020/09/09/macaroon-access-tokens-for-oauth-part-2-transactional-auth/
— Neil
On 29 Jul 2020, at 19:34, Neil Madden <neil.e...@gmail.com> wrote:
My employer is shortly to release a new version of their (closed-source) IAM product suite. One of the new features is support for issuing macaroon access and refresh tokens for OAuth2. I wrote a bit about it here: https://neilmadden.blog/2020/07/29/least-privilege-with-less-effort-macaroon-access-tokens-in-am-7-0/
Samuel Valdes Gutierrez
Feb 18, 2022, 12:44:50 AM2/18/22
to Macaroons
Hi Neil,
Many thanks for all the blogs related to Macaroons and OAuth. Just wondering in your last blog (the one you share above), if you have available the demo code you mention. I am really interested to check it and play with it.
Currently working in a M=master thesis in which I am trying to implement Macaroons and OAuth for a specific service we are prototyping for a company. One part of this service is a Proof of Concept related to authorization to resources and delegation of access by using macaroons.
It would be great you can share that demo if possible.
Regards,
Samuel
Reply all
Reply to author
Forward
0 new messages