Macaroons Resources

The original Macaroons paper is in our #reading-list

Google’s Macaroons in Five Minutes or Less, Brendan McMillion, December 2014

Macaroons are a proposed method of distributed (NOT decentralized) authorization. Their main distinction from a bearer token is that, if I’m given a Macaroon that authorizes me to perform some action(s) under certain restrictions, I can non-interactively build a second Macaroon with stricter restrictions that I can then give to you. For example, if I have a Macaroon that allows me to view and delete an image on Imgur, I can construct a second Macaroon that only allows the holder to view the image as long as time"5/1/13, 1am GMT" and give that to all of my friends.

Macaroons, a new flavour for authorization, Leonardo Mateo, June 2016

Macaroons are like cookies on steroids . And if we think of this concept in the context of authorization for web applications, it is still valid. Cookies is the most used authorisation mechanism in web applications, they are bearer tokens that enable their holder to access a certain service.

The folks at Google have created the Macaroons, they are like Cookies but they have contextual caveats that make them great for decentralized authorization.

The main problem with Cookies is that they are easy to steal and, once stolen, the holder of the cookie will have full access to the service that issued it. To help mitigating this problem, the macaroons add integrity checks through HMAC signatures.

Macaroons 101: Contextual Confinement, Evan Cordell, Sept 2015

“Elegant authorization, for a more civilized age”

What is a macaroon? Much like a signed cookie, a macaroon is a form of bearer credential that can be handed to a client and verified by a server at a later time. Unlike simple bearer tokens, macaroons embed “caveats” that confine the context in which they can be used. This allows decentralized access control that can be difficult with other methods, and in particular is simple, efficient, and flexible.

Macaroons are Better Than Cookies!, Robert Escriva and Emin Gün Sirer May 2015

Macaroons are great for authorization because they’re similar enough to cookies to be immediately usable by developers, but they include several features not present in cookies or other token-base authorization schemes.

Quick short 6 points, I’m tempted to copy and paste the whole thing :slight_smile:

Mozilla Tech Talk by Úlfar Erlingsson, June 2014

The original Air Mozilla location is a 404.

Searching for it finds this request to put it up again, which conveniently links to the Internet Archive copy which has the abstract:

Controlled sharing is fundamental to distributed systems; yet, on the Web, and in the Cloud, sharing is still based on rudimentary mechanisms. Macaroons are flexible authorization credentials that support decentralized delegation between principals, that can easily enable more fine-grained authorization for Cloud services, e.g., by strengthening mechanisms like OAuth2. Macaroons are based on a construction that uses nested, chained MACs (e.g., HMACs) in a manner that is highly efficient, easy to deploy, and widely applicable. Although macaroons are bearer credentials, like Web cookies, macaroons embed caveats that attenuate and contextually confine when, where, by who, and for what purpose a target service should authorize requests. Macaroons can be formalized in authorization logic and shown to equal the expressiveness of earlier, flexible certificate-based authorization systems, like SPKI/SDSI.

Video is still on cloudfront.

We’ve grabbed the video and uploaded it to IPFS, available here:

Oauth vs. Macaroons

@expede made this diagram to look at what the flows between the two systems look like. This is for self-signed macaroons.


Macaroons Playground

This playground is used to build and verify macaroons. Its based on jmacaroons library and compatible with libmacaroons reference implementation.

Has links to other implementations in the side bar.

By Martin W. Kirst @nitram509

1 Like