{"id":40567802,"url":"https://github.com/infratographer/identity-api","last_synced_at":"2026-01-21T01:30:56.287Z","repository":{"id":64967579,"uuid":"577497151","full_name":"infratographer/identity-api","owner":"infratographer","description":"OAuth token exchange","archived":false,"fork":false,"pushed_at":"2026-01-13T05:30:24.000Z","size":1034,"stargazers_count":6,"open_issues_count":17,"forks_count":9,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-01-13T08:39:09.174Z","etag":null,"topics":["iam","oauth","oidc"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/infratographer.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-12-12T21:43:56.000Z","updated_at":"2025-11-17T15:25:57.000Z","dependencies_parsed_at":"2023-10-10T22:46:32.920Z","dependency_job_id":"29130410-6f76-467a-9b4f-42592fee2a84","html_url":"https://github.com/infratographer/identity-api","commit_stats":null,"previous_names":[],"tags_count":45,"template":false,"template_full_name":null,"purl":"pkg:github/infratographer/identity-api","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infratographer%2Fidentity-api","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infratographer%2Fidentity-api/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infratographer%2Fidentity-api/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infratographer%2Fidentity-api/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/infratographer","download_url":"https://codeload.github.com/infratographer/identity-api/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infratographer%2Fidentity-api/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28621568,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-20T23:49:58.628Z","status":"ssl_error","status_checked_at":"2026-01-20T23:47:29.996Z","response_time":117,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["iam","oauth","oidc"],"created_at":"2026-01-21T01:30:56.131Z","updated_at":"2026-01-21T01:30:56.278Z","avatar_url":"https://github.com/infratographer.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"![logo](https://github.com/infratographer/website/blob/main/source/theme/assets/pictures/logo.jpg?raw=true)\n# identity-api\n\nidentity-api is an OAuth service that supports the following grant types:\n\n* Token Exchange: [RFC 8693][rfc8693]\n* Client Credentials: [RFC 6749][oauth2-client_credentials]\n\n[rfc8693]: https://www.rfc-editor.org/rfc/rfc8693.html\n[oauth2-client_credentials]: https://www.rfc-editor.org/rfc/rfc6749#section-4.4\n\n## Usage\n\nidentity-api is a Go service. To build it, you can either use `make build` to build a Go binary or `make up` to both build and start the service.\n\nThe `up` Makefile target will auto-generate a private key and mount it in the container for testing purposes. Note that this is not recommended for actual production use, and is merely a handy feature to allow developers to test.\n\n### Exchanging tokens\n\nTo perform a token exchange, [seed your database](#seeding-the-database-with-a-trusted-issuer) with a trusted issuer. Then, try running the following:\n\n```\n$ read -s -p 'Enter your token: ' AUTH_TOKEN \u0026\u0026 echo\n$ curl -XPOST -d \"grant_type=urn:ietf:params:oauth:grant-type:token-exchange\u0026subject_token=$AUTH_TOKEN\u0026subject_token_type=urn:ietf:params:oauth:token-type:jwt\" http://localhost:8000/token | jq\n```\n\nThis sends an RFC 8693 token exchange request to identity-api, which then will validate the given subject token against the configured subject token issuers. If the token is valid, you will receive a response like so (access token truncated for brevity):\n\n```\n{\n  \"access_token\": \"eyJ..VwM\",\n  \"expires_in\": 100,\n  \"token_type\": \"urn:ietf:params:oauth:token-type:jwt\"\n}\n```\n\nTo examine the payload of the access token JWT itself, you can use [jq][jq] to decode the payload:\n\n```\n$ echo \"$ACCESS_TOKEN\" | jq '.access_token | split(\".\") | .[1] | @base64d | fromjson'\n{\n  \"aud\": [],\n  \"client_id\": \"my-client\",\n  \"exp\": 1670354213,\n  \"iat\": 1670354113,\n  \"iss\": \"https://iam.infratographer.com/\",\n  \"jti\": \"e36322d3-414c-4da2-91a8-f19a6e9fb1d3\",\n  \"scp\": [],\n  \"sub\": \"my-user-id\"\n}\n```\n\n[jq]: https://stedolan.github.io/jq/\n\n### JWKS\n\nThe [JSON Web Key Set][jwks] (JWKS) used for signing identity-api JWTs is available at `/jwks.json`.\n\n[jwks]: https://www.rfc-editor.org/rfc/rfc7517.html#section-5\n\n### Configuration\n\nidentity-api requires a configuration file to run. An example can be found at `identity-api.example.yaml`.\n\nPrivate keys must be explicitly configured with a JWT signing algorithm, such as HS256 or RS256. Symmetric keys are loaded from key files as raw bytes. All asymmetric (i.e., RSA) signing keys must be encoded using [PKCS #8][pkcs8]. To generate an RSA private key for development, the following command should get you started:\n\n```\n$ openssl genpkey -out privkey.pem -algorithm RSA -pkeyopt rsa_keygen_bits:4096\n```\n\nUpdate the config file and/or Docker Compose volume mounts accordingly.\n\nIf the permissions config has been defined, the actor will need access to the following actions to make the corresponding api calls. See [Permissions-API][permissionsapi] for more details on updating your policy.\n\n* iam_issuer_create\n* iam_issuer_update\n* iam_issuer_delete\n* iam_issuer_get\n* iam_issuer_list\n* iam_oauthclient_create\n* iam_oauthclient_delete\n* iam_oauthclient_get\n* iam_oauthclient_list\n* iam_user_get\n\n[pkcs8]: https://en.wikipedia.org/wiki/PKCS_8\n[permissionsapi]: https://github.com/infratographer/permissions-api\n\n## Development\n\nidentity-api includes a [dev container][dev-container] for facilitating service development. Using the dev container is not required, but provides a consistent environment for all contributors as well as a few perks like:\n\n* [gopls][gopls] integration out of the box\n* Host SSH auth socket mount\n* Git support\n\nTo get started, you can use either [VS Code][vs-code] or the official [CLI][cli].\n\n[dev-container]: https://containers.dev/\n[gopls]: https://pkg.go.dev/golang.org/x/tools/gopls\n[vs-code]: https://code.visualstudio.com/docs/devcontainers/containers\n[cli]: https://github.com/devcontainers/cli\n\n### Seeding the database with a trusted issuer\n\nIn order to complete a token exchange, you will need to have an issuer configured in your database. An example seed exists in this repository and a tool exists for loading that data into the local database.\n\n```sh\ngo run main.go seed-database --config identity-api.example.yaml --data data.example.yaml\n```\n\n### Manually setting up SSH agent forwarding\n\nThe provided dev container listens for SSH connections on port 2222 and bind mounts `~/.ssh/authorized_keys` from the host to facilitate SSH. In order to perform Git operations (i.e., committing code in the container), you will need to enable SSH agent forwarding from your machine to the dev container. While VS Code handles this automatically, for other editors you will need to set this up manually.\n\nTo do so, update your `~/.ssh/config` to support agent forwarding. The following config snippet should accomplish this for you:\n\n```\nHost identity-api-devcontainer\n  ProxyJump YOUR_HOST_HERE\n  Port 2222\n  User vscode\n  ForwardAgent yes\n\nHost YOUR_HOST_HERE\n  User YOUR_USER_HERE\n  ForwardAgent yes\n```\n\nSee the man page for `ssh_config` for more information on what these options do.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfratographer%2Fidentity-api","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finfratographer%2Fidentity-api","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfratographer%2Fidentity-api/lists"}