Skip to main content

Overview

Otoroshi Biscuit Studio

Otoroshi Biscuit Studio is a powerful extension for Otoroshi, designed to integrate and manage Eclipse Biscuit Tokens seamlessly within your beloved API Gateway.

Biscuit tokens offer a cutting-edge approach to secure and efficient access control. By combining advanced cryptographic techniques with a compact, extensible format, Eclipse Biscuit tokens empower developers to create robust, scalable security solutions.

Their versatility and unique features make them an ideal choice for modern token-based authentication and authorization systems, enabling fine-grained control over user access and permissions.

Supported Entities in Otoroshi Biscuit Studio

  • KeyPairs
    Create Biscuit Keypairs to forge, attenuate and verify tokens.

    Keypairs are essential for signing and verifying tokens, ensuring the integrity and authenticity of requests.

  • Forges
    Define a Forge to generate some tokens based on the facts and rules you provided in the forge configuration.

    It's kind a template to generate some tokens with given data.

  • Verifiers
    Manage and configure verifiers that check the validity of incoming Eclipse Biscuit tokens against defined rules and policies, ensuring proper authorization and security.

  • Attenuators
    Configure attenuators to modify and return Biscuit tokens that have been "attenuated" (limited in scope or permissions), ensuring fine-grained control over access levels in your API routes.

  • RBAC Policies
    Implement Role-Based Access Control (RBAC) policies using Eclipse Biscuit tokens to enforce structured, flexible access control mechanisms within your application. This allows for secure, role-based user management.

  • Remote Facts Loader
    Integrate external data sources (remote facts) to enhance the authorization decisions made by tokens, allowing dynamic and context-aware access control.

Supported Plugins in Otoroshi Biscuit Studio

  • Verifier
    Integrate verifiers plugins into your Otoroshi routes to check the validity of a provided token.

    This ensures that only authorized tokens are accessing to the route, providing additional layers of security and control over your API traffic.

  • Attenuator
    Add attenuator plugins to your Otoroshi routes that apply attenuation to a token, allowing you to reduce or modify the scope of access granted by a token.

    This can be used to tailor access permissions dynamically based on the specific needs of your routes or services.

  • Client Credentials

    The Client Credentials Plugin is a Backend plugin that enables the OAuth2 client_credentials flow, using an Eclipse Biscuit Token as the access_token.

  • Biscuit User Extractor

    The Biscuit User Extractor plugin allows extracting user information from an Eclipse Biscuit token and passing it along with the request to backend services.This helps identify users and enforce user-specific policies without additional authentication mechanisms.

  • User to Biscuit Extractor

    This plugin will allow you to forge an Eclipse Biscuit Token using the authenticated user from the request context. The token will be added into headers.

  • ApiKey Bridge

    The Biscuit API Key Bridge Plugin will extract an API key from the request.

  • Public Keys exposition

    Expose your public keys through a dedicated route. Default route will be ${YOUR_OTOROSHI_DOMAIN}/.well-known/biscuit-web-keys