Something like this needs traction. The concept is essentially a "policy DSL," where we need a domain specific language for describing authorization across the internet. The other feature a DSL should have is a 5W's approach, of who, what, when, where, why, and how - as this will make it consistent with most business logic and also any logging and audit requirements, as this is how humans describe things. I can see why they are using a concrete language based on security concepts to describe the authorizations, but the next level would be a more general subject-predicate graph form. The risk there is losing consistency when users and developers don't abstract it well, so maybe biscuitsec has got it right. All authN systems die of overspecification, and so the best solution will be the one people actually use.
Several years ago I was looking at doing a "blockchain policy DSL," where users could federate applications by subscribing to and caching parts of the chain, but there wasn't enough product juice in it to pursue (I've done a lot of IAM and digital identity work over the years). This biscuitsec authZ token has a lot of the right ideas. It's a hard problem that needs fewer solutions and just one viable product.
Several years ago I was looking at doing a "blockchain policy DSL," where users could federate applications by subscribing to and caching parts of the chain, but there wasn't enough product juice in it to pursue (I've done a lot of IAM and digital identity work over the years). This biscuitsec authZ token has a lot of the right ideas. It's a hard problem that needs fewer solutions and just one viable product.