divarvel
commented
2 months ago Hi, this looks similar to an open PR in biscuit-go https://github.com/biscuit-auth/biscuit-go/pull/130
The token format still requires to have access to the private key for non-authority blocks, but I think that would be okay in this scenario, we only care about delegating signature to a KMS for the authority block (and third-party blocks, but that's similar).
Agree on putting it behind a feature flag because this increases the risk of misuse a lot.
ShockleyJE
We are evaluating biscuits and the project is extremely appealing for our use case, save for the requirement that the implementing system requires access to the private key itself, which precludes usage with managed key services like AWS KMS.
I'm not deeply familiar with the project history, future goals, and codebase, but it does look possible technically to add an interface for externalizing the signing & public key download responsibilities of
KeyPairas an optional feature in the crate, where implementations of these responsibilities would be implemented.The integration with providers would be a non-goal, other than providing a best-effort example.
If this proposal is consistent with the direction of the project we can work around this limitation in the interim and I can offer to contribute to the implementation if desired