Auth Awesome

ver	date
Kerberos 4.0	1980s
LDAPv3	1997
Kerberos 5.0	1993
SAML 1.0	2002
SAML 1.1	2003
SAML 2.0	2005
OpenID 1.0	2006
OpenID 2.0	2007
OAuth 1.0	2010
OAuth 2.0	2012
OpenID Connect 1.0	2014
WebAuthn Level 1	2019-03-04

• IAM - Identity and Access Management
• kdeldycke/awesome-iam
• keepassxreboot/keepassxc
• babelouest/glewlwyd
• longguikeji/arkid
  • AGPLv3, Python
• bullteam/zeus-admin
  • Apache-2.0, Go+Vue
• OpenIdentityPlatform/OpenAM
  • Java
• kanidm/kanidm
  • MPL-2.0, Rust
• authelia/authelia
  • Apache-2.0, Go
  • SSO Multi-Factor portal for web apps
• boxyhq/jackson
  • Apache-2.0, Typescript
• OpenID Provider (OP), Identity Provider (IDP)
  • 实现了 OpenID Connect 和 OAuth 2.0
• Relying Party (RP)
  • 应用或网站
  • 将用户授权转交给 IdP
• logto-io/logto
  • MPLv2, TS
• eicrud/eicrud
  • MIT, TS
  • CRUD/Authorization framework based on NestJS

Authorization Design

• Google Cloud
  • Policies
  • IAM permissions reference
  • 资源名称
    • //{api}/{collection-id}/{resource-id}(/{collection-id}/{resource-id})*
    • //mail.googleapis.com/users/name@example.com/settings/customFrom
    • 无传输协议

Authorization

• casbin
• ory/oathkeeper
  • Identity & Access Proxy
• osohq/oso
  • Apache-2.0, Rust+Python
  • 引擎开源/Policy - Rust 实现
    • 语言库: Node.js, Python, Go, Rust, Ruby, Java
  • 商业化服务平台
  • 参考
    • https://www.osohq.com/academy
• stalniy/casl
  • Isomorphic Authorization JavaScript library
  • @casl/ability - 20.5kB/7kB - @ucast/core, @ucast/js, @ucast/mongo
    • @ucast - 条件转换
  • @casl/react - 2kB/1kB

Zanzibar

• authzed/spicedb
  • Apache-2.0, Go
  • AuthZ as a Service
  • gRPC API+REST
  • 支持 pg, mysql, cockroachdb, hashicorp/go-memdb
  • HN
• aserto-dev/topaz
  • Apache-2.0, Go
  • Open Policy Agent
  • BoltDB
• Permify/permify
  • Apache-2.0, Go
  • 通过 CDC 同步信息
  • why-decouple-authorizations
• openfga/openfga
  • Apache-2.0, Go
  • by Auth0 FGA
    • https://dashboard.fga.dev/
• ory/keto
  • Apache-2.0, Go
• josephglanville/zanzibar-pg
• authorizer-tech/access-controller
• 参考
  • RBAC - 角色固定
  • ReBAC - 基于关系
  • ABAC - 基于属性，任意属性
  • HBAC - Host Based Access Control
  • What is Zanzibar?
  • https://www.osohq.com/learn/google-zanzibar

IAM

• keycloak/keycloak
  • Apache-2.0, Java
• zitadel/zitadel
  • Apache-2.0, Go
  • by CAOS from Switzerland
  • 提供 gRPC 接口
  • 依赖 CockroachDB
  • zitadel vs keycloak
  • https://zitadel.ch/v2 WIP
• kanidm/kanidm
  • MPL-2.0, Rust
  • SSH/PAM/RADIUS/Web OAuth
  • oauth design
• compare open-source-sso
• OpenIAM
• Apache Syncope
• FreeIPA
  • Python
• WSO2
• apereo/cas - Central Authentication Service
• Okta
• FusionAuth
• LDAP/GSSAPI
• Kerberos
  • not use public key crypto
• supertokens/supertokens-core
  • Apache-2.0, Java
• goauthentik/authentik
  • GPL-3.0, Python
• ory/kratos

Proxy

API 网关通常支持 auth、authz

• ForwardAuth
  • oauth2-proxy/oauth2-proxy
    • 也支持作为反向代理
  • vouch/vouch-proxy
• pomerium/pomerium
  • Apache-2.0, Go
  • Pomerium is an identity-aware access proxy.
  • Enterprise
    • 管理界面
    • API
    • Session

Reference

• Google Authentication/Authorization for Enterprise SPI Guide
• How to Design a Permissions Framework

Library

• auth0/node-jsonwebtoken
  • MIT, JS
  • jsonwebtoken
• panva/jose
  • MIT, TS, JS
  • JWA, JWS, JWE, JWT, JWK, JWKS
• passport
• authts/oidc-client-ts
  • Apache-2.0, TS
• panva/node-openid-client
  • OpenID Certified™ Relying Party

IdP

• panva/node-oidc-provider
  • MIT, NodeJS, JS
  • panva/oauth4webapi
    • MIT, TS
    • OAuth 2 / OpenID Connect
• dexidp/dex
  • Apache-2.0, Go
  • OpenID Connect Identity (OIDC) and OAuth 2.0 Provider with Pluggable Connectors
• ory/hydra
  • Apache-2.0, Go
  • OAuth2 Server and OpenID Certified™ OpenID Connect Provider written in Go