Right now the spec provides (rather) precise definitions for the token format, the evaluation model and datalog parsing.
What is not specified however is the general API of libraries. Most libraries have the same behaviour, but there can be subtle details that vary from implementation to implementation.
For instance:
biscuit-haskell checks revocation ids after parsing the external envelope, but before parsing the actual payload
biscuit-rust performs some checks when constructing a Biscuit, but a Biscuit value can still carry invalid code
biscuit-go does not allow querying an authorizer before running authorization (contrary to biscuit-rust and biscuit-haskell)
I think the spec should not mandate too much wrt APIs because each language has different ways to express things, but i think there should be some common guarantees provided by specific operations.
Right now the spec provides (rather) precise definitions for the token format, the evaluation model and datalog parsing.
What is not specified however is the general API of libraries. Most libraries have the same behaviour, but there can be subtle details that vary from implementation to implementation.
For instance:
biscuit-haskellchecks revocation ids after parsing the external envelope, but before parsing the actual payloadbiscuit-rustperforms some checks when constructing aBiscuit, but aBiscuitvalue can still carry invalid codebiscuit-godoes not allow querying an authorizer before running authorization (contrary to biscuit-rust and biscuit-haskell)I think the spec should not mandate too much wrt APIs because each language has different ways to express things, but i think there should be some common guarantees provided by specific operations.