Hacker News new | past | comments | ask | show | jobs | submit login

It is a suitable alternative, where 'suitability' depends on your needs. For simple session management, it doesn't offer advantage over encoding all your claims as JSON and adding an HMAC-SHA256 MAC. But macaroons come to shine when you need to delegate authority to third parties. Let's say you are logged in to your work calendar and wants to give a third party service permission to read your busy time (but not any other appointment data) for the next 2 months. You take your current macaroon and tack 3 caveats on it: - third_party_service = busy_timer - date_range = 2017-05-01...2017-07-01 - permissions = start_time/read, end_time/read

You can do everything on the client side and you don't have to mess with OAuth.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact