Java

How to use the Biscuit Java library

The Java version of Biscuit can be found on Github, and maven.

Install

In pom.xml:

<dependency>
    <groupId>com.clever-cloud</groupId>
    <artifactId>biscuit-java</artifactId>
    <version>2.1.0</version>
    <type>jar</type>
</dependency>

Create a root key

public KeyPair root() {
    return new KeyPair();
}

Create a token

public Biscuit createToken(KeyPair root) throws Error {
    return Biscuit.builder(root)
            .add_authority_fact("user(\"1234\")")
            .add_authority_check("check if operation(\"read\")")
            .build();
}

Create an authorizer

public Tuple2<Long, WorldAuthorized> authorize(KeyPair root, byte[] serializedToken) throws NoSuchAlgorithmException, SignatureException, InvalidKeyException, Error {
    return Biscuit.from_bytes(serializedToken, root.public_key()).authorizer()
            .add_fact("resource(\"/folder1/file1\")")
            .add_fact("operation(\"read\")")
            .allow()
            .authorize();
}

Attenuate a token

public Biscuit attenuate(KeyPair root, byte[] serializedToken) throws NoSuchAlgorithmException, SignatureException, InvalidKeyException, Error {
    Biscuit token = Biscuit.from_bytes(serializedToken, root.public_key());
    Block block = token.create_block().add_check("check if operation(\"read\")");
    return token.attenuate(block);
}

Seal a token

Either<Error, byte[]> sealed_token = token.seal();

Reject revoked tokens

The revocation_identifiers method returns the list of revocation identifiers as byte arrays.

List<RevocationIdentifier> revocation_ids = token.revocation_identifiers();

Query data from the authorizer

The query method takes a rule as argument and extract the data from generated facts as tuples.

public Set<Fact> query(Authorizer authorizer) throws Error.Timeout, Error.TooManyFacts, Error.TooManyIterations, Error.Parser {
    return authorizer.queryAll("data($name, $id) <- user($name, $id)");
}