I am still waiting for Macaroons to be used widely. I think they are a fantastic invention.
It seems they were not of very much use in the past, but with the agentic-everything now, I see this as a great way of delegating permissions to subagents, third-party agents, etc.
Working on something along these lines but unfortunately I cannot dedicate as much time as I'd like.
Still, if anyone is reading, give Macaroons a try!
We have what I believe to be one of the world's largest deployments of Macaroons. They're a mixed bag, though I think they're a lot more interesting in a world where agents do most of the fiddly work.
https://fly.io/blog/operationalizing-macaroons/
I am very aware of your work!
It's the only prod usage of Macaroons I know of, I think.
Third-party discharge seems like a great way to have human-in-the-loop gating, among other interesting things.
Would be great reading your thoughts if you ever write about the agentic use case, having all the fly.io experience
I like the raspberry ones. Or lemon is also good
Are you thinking of macarons? Macaroons are coconut.
JWTs can do that (delegate) and such capability is already well defined.
Maybe I stated it wrong. Macaroons have the ability to attenuate the restrictions _without_ contacting the auth server, which makes it IMO fit for restricting and attenuating as much as you want, without much cost.
If I need a roundtrip to the auth server to attenuate, I am not necessarily going to do it as often.
Most token formats delegate. Macaroons support attenuation, confinement, and embedded third-party claims, none of which are JWT capabilities.