Concepts
Permissions
Macaroons

Macaroons

Macaroons are a new kind of authorization credential developed by the folks at Google (opens in a new tab) for use in distributed systems. Macaroons are bearer tokens that enable applications to ascertain whether their holders' actions are authorized.

Macaroons are great for authorization because they're similar enough to cookies to be immediately usable by developers, but they offer several features that surpass cookies or other token-based authorization methods:

  • Delegation with Contextual Caveats: Macaroons support delegation, allowing others to act on your behalf with the same authority. While cookies also allow delegation, macaroons enhance safety and practicality through features like limiting when, where, and by whom the delegated authority can be used. This is achieved using attenuation and third-party caveats.
  • Attenuation: Macaroons let users add caveats to limit how, when, and where they can be used, even before delegation. Unlike cookies or authorization tokens, macaroons empower users to restrict their usage, granting better control over their data and actions within applications.
  • Proof-Carrying: Macaroons are efficient as they carry their own cryptographic proof of authorization. Their caveats are constructed using chained HMAC functions, allowing easy addition of caveats while preventing their removal. Verifying the proof is straightforward for the creator, but others cannot tamper with it.
  • Third-Party Caveats: Macaroons enable caveats that depend on third-party verification. This enables distributed systems to work together for authorization. For instance, a data store's macaroon could be authorized only if the user's authentication service confirms their authentication, without the storage service directly communicating with the authentication service.
  • Simple Verification: Macaroons simplify authorization code by using a general verifier for checking the proofs in macaroons, rather than complex conditionals in each authorization routine.
  • Decoupled Authorization Logic: Macaroons separate the policy (who can access what) from the mechanism (how the policy is enforced). The verifier certifies the correctness of embedded proofs, while the policy is defined during macaroon creation, attenuation, and sharing. This allows easy auditing and consistent policy enforcement.