Macaroons are a decentralized authorization credential designed for distributed systems. They allow services to grant authorization tokens for one another, with precisely limited scope and ability. Macaroons may very well be the future of authorization across services.
Several months ago, my team eagerly adopted them, using an implementation in Go. Replacing our old system was easy enough—but working with macaroons turned out to be a disaster. In this talk, I share how our decision to use macaroons negatively affected our user experience, our own developer experience, and even our system availability. We also lost hours of developer time arguing about the difference between a “macaroon” and a “macaron”.
So, what makes macaroons so dang cool? How do they work? Why should gophers get excited about them and why did my team get excited about them? Why are macaroons such a tempting fit for a project, especially a Go project, and where did my team go wrong? What should a team of gophers consider and where did my team ultimately land?
This is a story about cool new technology, over-engineering, and coconut cookies.