{"id":48470449,"url":"https://github.com/carbynestack/thymus","last_synced_at":"2026-04-07T06:04:41.901Z","repository":{"id":241104115,"uuid":"616473404","full_name":"carbynestack/thymus","owner":"carbynestack","description":"Authentication and Authorization subsystem of the Carbyne Stack platform","archived":false,"fork":false,"pushed_at":"2025-03-07T08:11:25.000Z","size":132,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-06-15T10:56:04.457Z","etag":null,"topics":["access-control","authentication"],"latest_commit_sha":null,"homepage":"https://carbynestack.io","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/carbynestack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-03-20T13:09:28.000Z","updated_at":"2025-03-07T08:11:21.000Z","dependencies_parsed_at":"2024-05-22T12:44:22.507Z","dependency_job_id":"1b186e61-fd23-4fc0-bef7-8d33961bf54f","html_url":"https://github.com/carbynestack/thymus","commit_stats":null,"previous_names":["carbynestack/thymus"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/carbynestack/thymus","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carbynestack%2Fthymus","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carbynestack%2Fthymus/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carbynestack%2Fthymus/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carbynestack%2Fthymus/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/carbynestack","download_url":"https://codeload.github.com/carbynestack/thymus/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carbynestack%2Fthymus/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31501903,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-07T03:10:19.677Z","status":"ssl_error","status_checked_at":"2026-04-07T03:10:13.982Z","response_time":105,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-control","authentication"],"created_at":"2026-04-07T06:04:41.185Z","updated_at":"2026-04-07T06:04:41.894Z","avatar_url":"https://github.com/carbynestack.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Carbyne Stack Thymus Authentication and Authorization\n\n[![Codacy Badge](https://app.codacy.com/project/badge/Grade/233198c332f3486ea69057fb9938917e)](https://app.codacy.com/gh/carbynestack/caliper/dashboard?utm_source=gh\u0026utm_medium=referral\u0026utm_content=\u0026utm_campaign=Badge_grade)\n[![Known Vulnerabilities](https://snyk.io/test/github/carbynestack/thymus/badge.svg)](https://snyk.io/test/github/carbynestack/thymus)\n[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit\u0026logoColor=white)](https://github.com/pre-commit/pre-commit)\n[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](CODE_OF_CONDUCT.md)\n\n\u003e **DISCLAIMER**: Carbyne Stack Thymus is in *proof-of-concept* stage. The\n\u003e software is not ready for production use. It has neither been developed nor\n\u003e tested for a specific use case.\n\nThymus is the authentication and authorization subsystem of\n[Carbyne Stack](https://github.com/carbynestack).\n\n## Namesake\n\n\u003e The *thymus* is an organ that is critically important to the immune system\n\u003e which serves as the body’s defense mechanism providing surveillance and\n\u003e protection against diverse pathogens, tumors, antigens and mediators of tissue\n\u003e damage. ([Source](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6446584/))\n\nWithin Carbyne Stack *Thymus* implements measures and mechanisms to defend\nagainst unauthorized access.\n\n## Development\n\n### Isolated Deployment\n\nThe Thymus subsystem can be run in isolation, i.e., without a full-fledged\nCarbyne Stack system. In order to follow the steps below, we assume that you\nhave a `kind` Kubernetes cluster at your disposal that comes along with Istio,\nMetalLB, and the Zalando PostgreSQL operator. This can be achieved by following\nthe\n[Platform Setup Guide](https://carbynestack.io/documentation/getting-started/deployment/manual/platform-setup)\navailable on the [Carbyne Stack website](https://carbynestack.io).\n\n\u003e \\[!TIP\\] You can skip the Knative installation as it is not required for\n\u003e running Thymus.\n\nTo deploy Thymus follow the steps below:\n\n1. Clone the Thymus repository:\n\n   ```bash\n   git clone https://github.com/carbynestack/thymus.git\n   ```\n\n1. Create the PostgreSQL instance required by both Kratos and Hydra:\n\n   ```bash\n   kubectl apply -f thymus/hack/postgres.yaml\n   ```\n\n1. Change into the Thymus chart directory:\n\n   ```bash\n   cd thymus/charts/thymus\n   ```\n\n1. Fetch the dependencies of the chart:\n\n   ```bash\n   helm dependency update\n   ```\n\n1. Install the chart:\n\n   ```bash\n   helm install thymus . --set thymus.gateway.enabled=true --set thymus.users.enabled=true\n   ```\n\n   \u003e \\[!NOTE\\] `thymus.gateway.enabled=true` and `thymus.users.enabled=true` are\n   \u003e optional flags that enable the creation of an Istio gateway and a set of\n   \u003e demo users respectively.\n\nThymus is now available and exposes the following APIs at the given endpoints:\n\n\u003c!-- markdownlint-disable MD034 --\u003e\n\n| API                                                            | Endpoint                               |\n| -------------------------------------------------------------- | -------------------------------------- |\n| [Kratos](https://www.ory.sh/docs/kratos/reference/api)         | http://172.18.1.128.sslip.io/iam       |\n| [Kratos UI](https://github.com/ory/kratos-selfservice-ui-node) | http://172.18.1.128.sslip.io/iam/ui    |\n| [Hydra](https://www.ory.sh/docs/hydra/reference/api)           | http://172.18.1.128.sslip.io/iam/oauth |\n\n\u003c!-- markdownlint-enable MD034 --\u003e\n\n### Authentication Flow\n\n\u003e \\[!NOTE\\] The following assumes that you have deployed Thymus as described\n\u003e above.\n\nThe following steps demonstrate the OpenID Connect authentication flow using\nThymus:\n\n1. Get the OAuth2 client ID:\n\n   \u003c!-- markdownlint-disable MD013 --\u003e\n\n   ```bash\n   CLIENT_ID=$(kubectl get secrets thymus-client-secret -o jsonpath='{.data.CLIENT_ID}' | base64 -d)\n   ```\n\n   \u003c!-- markdownlint-enable MD013 --\u003e\n\n1. Request an authorization code by opening the following URL in a browser and\n   authenticate yourself via the credentials of one of the users listed in\n   `charts/thymus/values.yaml`:\n\n   ```bash\n   open \"http://172.18.1.128.sslip.io/iam/oauth/oauth2/auth?client_id=${CLIENT_ID}\u0026redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback\u0026response_type=code\u0026state=1102398157\u0026scope=offline%20openid\"\n   ```\n\n   After being redirected to address `http://127.0.0.1/callback` copy the value\n   of the `code` query parameter and store it in the `$AUTH_CODE` variable.\n\n   ```bash\n   AUTH_CODE=\"\u003ctoken\u003e\"\n   ```\n\n1. Exchange the authentication code for an authentication token:\n\n   ```bash\n   curl --request POST \\\n   --url http://172.18.1.128.sslip.io/iam/oauth/oauth2/token \\\n   --header 'Content-Type: application/x-www-form-urlencoded' \\\n   --data client_id=${CLIENT_ID} \\\n   --data code=${AUTH_CODE} \\\n   --data grant_type=authorization_code \\\n   --data redirect_uri=http://127.0.0.1:5555/callback\n   ```\n\nYou can use the returned access and refresh tokens to authenticate yourself to\nan Istio with properly configured\n[End User Authentication](https://istio.io/latest/docs/tasks/security/authentication/authn-policy/#end-user-authentication).\n\n## License\n\nThe Carbyne Stack *Thymus Authentication and Authorization* subsystem repository\nis open-sourced under the Apache License 2.0. See the [LICENSE](LICENSE) file\nfor details.\n\n### 3rd Party Licenses\n\nFor information on how license obligations for 3rd party OSS dependencies are\nfulfilled see the [README](https://github.com/carbynestack/carbynestack) file of\nthe Carbyne Stack repository.\n\n## Contributing\n\nPlease see the Carbyne Stack\n[Contributor's Guide](https://github.com/carbynestack/carbynestack/blob/master/CONTRIBUTING.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcarbynestack%2Fthymus","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcarbynestack%2Fthymus","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcarbynestack%2Fthymus/lists"}