{"id":51524786,"url":"https://github.com/cocoar-dev/modgud","last_synced_at":"2026-07-08T20:01:14.174Z","repository":{"id":360546753,"uuid":"1143444989","full_name":"cocoar-dev/modgud","owner":"cocoar-dev","description":"Multi-tenant Identity Provider — OAuth 2.0 / OpenID Connect server with multi-app RBAC and database-per-tenant isolation.","archived":false,"fork":false,"pushed_at":"2026-07-01T11:23:37.000Z","size":8297,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"develop","last_synced_at":"2026-07-05T17:53:31.438Z","etag":null,"topics":["aspnet-core","dotnet","iam","identity-provider","marten","multi-tenant","oauth2","oidc","openid-connect","openiddict","postgresql","rbac","saas","vue","wolverine"],"latest_commit_sha":null,"homepage":"https://docs.cocoar.dev/modgud/","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cocoar-dev.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":"docs/roadmap.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-27T15:36:23.000Z","updated_at":"2026-07-01T11:23:40.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/cocoar-dev/modgud","commit_stats":null,"previous_names":["cocoar-dev/modgud","cocoar-dev/cocoar.auth"],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/cocoar-dev/modgud","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cocoar-dev%2Fmodgud","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cocoar-dev%2Fmodgud/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cocoar-dev%2Fmodgud/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cocoar-dev%2Fmodgud/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cocoar-dev","download_url":"https://codeload.github.com/cocoar-dev/modgud/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cocoar-dev%2Fmodgud/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35201088,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-06T02:00:07.184Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aspnet-core","dotnet","iam","identity-provider","marten","multi-tenant","oauth2","oidc","openid-connect","openiddict","postgresql","rbac","saas","vue","wolverine"],"created_at":"2026-07-08T20:01:13.392Z","updated_at":"2026-07-08T20:01:14.163Z","avatar_url":"https://github.com/cocoar-dev.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Modgud\n\n![Modgud — multi-tenant Identity Provider](docs/public/social-preview-small.png)\n\n**Self-hosted multi-tenant Identity Provider for ASP.NET Core.**\nOAuth 2.0 / OpenID Connect server with database-per-realm isolation,\nmulti-app permission catalogs, Keycloak-style `resource_access`\nemission, full 2FA spectrum, GDPR self-service.\n\n[![License: Apache-2.0](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](LICENSE)\n[![.NET](https://img.shields.io/badge/.NET-10.0-512BD4)](https://dotnet.microsoft.com/)\n[![pre-1.0](https://img.shields.io/badge/status-pre--1.0-orange.svg)](./docs/roadmap.md)\n\n## What you get\n\n- **Multi-tenant by design** — every realm gets its own PostgreSQL\n  database via Marten's `MasterTableTenancy`. Domain-based routing\n  maps `Host` headers to tenants. No `tenant_id` columns, no\n  cross-realm leaks possible.\n- **Multi-app permission model** — Apps are first-class. Permissions\n  are 2-segment (`\u003cresource\u003e:\u003caction\u003e`) inside an app's catalog. Two\n  bypass tiers, no more. Roles bind to one App, groups carry a\n  `BoundTo` activation list.\n- **Keycloak-style `resource_access` on UserInfo** — per-audience\n  blocks with bypass pre-expansion and per-RS subset narrowing. A\n  drop-in `IClaimsTransformation` library flattens the right block\n  into `ClaimTypes.Role` so `[Authorize(Roles = \"...\")]` works\n  without per-endpoint plumbing.\n- **Full 2FA spectrum + WebAuthn** — TOTP, Email-OTP, FIDO2/Passkey,\n  Magic Link, recovery codes. 2FA enforcement middleware with grace\n  period and per-user override.\n- **OIDC federation** — Microsoft Entra ID, Google, any OIDC IdP.\n  JIT user provisioning + JavaScript claim-mapping (`UserUpdateScript`).\n- **Dynamic Client Registration (RFC 7591)** with triple opt-in\n  (realm master / per-API / per-scope), audience-target containment,\n  full audit-event trail.\n- **GDPR-ready** — Article-20 self-service export, three-step\n  account deletion with confirmation token, Marten data-masking +\n  `ArchiveStream` for irreversible PII erase with audit-chain\n  integrity preserved.\n- **Observability built-in** — OpenTelemetry metrics + traces,\n  Prometheus scrape endpoint, custom IdP meter, in-app live\n  activity feed.\n- **Recovery CLI** — break-glass admin path (bootstrap-admin,\n  reset-2fa, magic-link, rebuild-projections) when the UI can't\n  help you.\n\n## Quick links\n\n| | |\n|---|---|\n| [📘 Get Started](./docs/getting-started/) | What this is, requirements, first-time setup |\n| [⚡ Quickstart (Docker)](./docs/getting-started/quickstart.md) | From `docker compose up` to first login in 10 minutes |\n| [🧠 Concepts](./docs/concepts/) | Realms, apps, permissions, OAuth, tokens — the mental model |\n| [🛠️ Operate](./docs/operate/) | Deployment, observability, recovery CLI, feature flags |\n| [👤 Administer](./docs/admin/) | Users, groups, roles, OAuth clients, login providers |\n| [🔌 Integrate](./docs/integrate/) | Plug your ASP.NET Core / SaaS app into Modgud |\n| [📖 Reference](./docs/reference/) | OAuth / Auth / Admin / Realm endpoint reference |\n| [🗺️ Roadmap](./docs/roadmap.md) | What ships today, what's coming, what's intentionally out of scope |\n| [📦 Releases](https://github.com/cocoar-dev/modgud/releases) | Versioned releases with hand-written release notes — the canonical changelog |\n\n## Status\n\n**Pre-1.0, actively developed.** The [Roadmap](./docs/roadmap.md)\nis the canonical view of what's shipped and what's coming next — it\ngets revised when something lands.\n\nBuilt by [COCOAR e.U.](https://cocoar.dev). See\n[CONTRIBUTING.md](./CONTRIBUTING.md) for how PRs and issues are\nhandled.\n\n## Build it yourself\n\n```bash\n# Prereqs: .NET 10 SDK, Node 22 + pnpm (via Corepack), Docker\n\n# Backend (port 9099)\ncd src/dotnet\ndocker exec cocoar-postgres psql -U postgres -c \"CREATE DATABASE modgud;\"\ncd Modgud.Api\nASPNETCORE_ENVIRONMENT=Development dotnet run --no-launch-profile\n\n# Frontend (port 4300, separate terminal)\ncd src/frontend-vue\npnpm install\npnpm dev\n```\n\nFirst-time admin bootstrap via the recovery CLI — see\n[First-time setup](./docs/getting-started/first-time-setup.md) for\nthe walkthrough.\n\n## Contributing\n\nPRs welcome for typos and small fixes — for anything bigger, please\nopen a [Discussion](https://github.com/cocoar-dev/modgud/discussions)\nfirst. The [Contributing guide](./CONTRIBUTING.md) has the full\nground rules.\n\nSecurity vulnerabilities **do not** go through the public issue\ntracker — see [SECURITY.md](./SECURITY.md) for the private channel.\n\n## About the name\n\n**Modgud** takes its name from **Móðguðr**, the watcher of\n*Gjallarbrú* in Norse mythology — a bridge between worlds, where\nshe challenged every traveler with the same question an IdP asks:\n*\"Who are you, and what brings you here?\"* A fitting namesake.\n\n## License\n\nLicensed under the [Apache License, Version 2.0](./LICENSE).\n\"Modgud\" and the Modgud shield are trademarks of COCOAR e.U. —\nsee [TRADEMARK.md](./TRADEMARK.md) for the practical rules.\n\nCopyright © 2025–2026 [COCOAR e.U.](https://cocoar.dev), Vienna,\nAustria.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcocoar-dev%2Fmodgud","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcocoar-dev%2Fmodgud","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcocoar-dev%2Fmodgud/lists"}