Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud

Paper in proceeding, 2014

Controlled sharing is fundamental to distributed systems; yet, on the Web, and in the Cloud, sharing is still based on rudimentary mechanisms. More flexible, decentralized cryptographic authorization credentials have not been adopted, largely because their mechanisms have not been incrementally deployable, simple enough, or efficient enough to implement across the relevant systems and devices. We introduce macaroons: flexible authorization credentials for Cloud services that support decentralized delegation between principals. Macaroons are based on a construction that uses nested, chained MACs (e.g., HMACs (42)) in a manner that is highly efficient, easy to deploy, and widely applicable. Although macaroons are bearer credentials, like cookies on the Web, macaroons embed caveats that attenuate and contextually confine when, where, by who, and for what purpose a target service should authorize requests. We describe macaroons and motivate their design, compare them to other credential systems such as cookies and SPKI/SDSI (14), evaluate and measure a prototype, and discuss practical security and protocol implementation considerations. We also formalize macaroons in a variant of authorization logic, and consider their use to strengthen existing mechanisms, such as OAuth2 (17), for more fine-grained authorization in the Cloud.