Hacker News new | past | comments | ask | show | jobs | submit login

You say that the standard is bad and that indirectly caused bugs in JWT implementations but looking at Macaroons examples there are still some corner cases where a programmer can make mistakes.

For example this piece of code (fragment taken from [0]), restricts the Macaroon usage to given account... Or does it?

  M.add_first_party_caveat('account = 3735928559')
Only someone familiar with the topic will notice that it doesn't add anything to M as Macaroons are immutable but instead returns a new, adjusted object (the same "issue" happens in Java with BigIntegers). If you know what you are doing you won't make this mistake but in this case you would also have safe JWTs...

As far as I can see Macaroons have interesting ability to be adjusted by intermediaries to limit their scope. Say you have Macaroon that gives access to your Gmail account you can "attenuate" it to limit scope only for emails in the next 10 minutes without contacting third party. That'd be very useful for OAuth like flows...

[0]: https://github.com/rescrv/libmacaroons/blob/master/README




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: