{"id":18303886,"url":"https://github.com/theopenlane/iam","last_synced_at":"2026-05-22T23:05:18.320Z","repository":{"id":254932208,"uuid":"847383726","full_name":"theopenlane/iam","owner":"theopenlane","description":"identity and access management tooling and wrappers + helpers","archived":false,"fork":false,"pushed_at":"2026-03-26T17:27:41.000Z","size":1424,"stargazers_count":16,"open_issues_count":8,"forks_count":4,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-27T07:22:43.850Z","etag":null,"topics":["authentication","authorization","fine-grained-authorization","go","go-library","golang","hacktoberfest","hacktoberfest-2025","openfga","sessions"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/theopenlane.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-08-25T17:09:20.000Z","updated_at":"2026-03-25T14:17:00.000Z","dependencies_parsed_at":"2024-10-25T17:27:16.618Z","dependency_job_id":"b898e0b9-e05e-4815-8f9a-7add557eab73","html_url":"https://github.com/theopenlane/iam","commit_stats":null,"previous_names":["theopenlane/iam"],"tags_count":113,"template":false,"template_full_name":null,"purl":"pkg:github/theopenlane/iam","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theopenlane%2Fiam","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theopenlane%2Fiam/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theopenlane%2Fiam/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theopenlane%2Fiam/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/theopenlane","download_url":"https://codeload.github.com/theopenlane/iam/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theopenlane%2Fiam/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31290814,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T13:12:26.723Z","status":"ssl_error","status_checked_at":"2026-04-01T13:12:25.102Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authorization","fine-grained-authorization","go","go-library","golang","hacktoberfest","hacktoberfest-2025","openfga","sessions"],"created_at":"2024-11-05T15:27:13.319Z","updated_at":"2026-04-01T18:19:54.653Z","avatar_url":"https://github.com/theopenlane.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build status](https://badge.buildkite.com/3346f9d3732a143a78c4da3eb9dcb8f4e9616a64bebd0cbfbd.svg)](https://buildkite.com/theopenlane/iam?branch=main)\n[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=theopenlane_iam\u0026metric=alert_status)](https://sonarcloud.io/summary/new_code?id=theopenlane_iam)\n[![Go Report Card](https://goreportcard.com/badge/github.com/theopenlane/iam)](https://goreportcard.com/report/github.com/theopenlane/iam)\n[![Go Reference](https://pkg.go.dev/badge/github.com/theopenlane/iam.svg)](https://pkg.go.dev/github.com/theopenlane/iam)\n[![License: Apache 2.0](https://img.shields.io/badge/License-Apache2.0-brightgreen.svg)](https://opensource.org/licenses/Apache-2.0)\n\n# Identity and Access Management (IAM)\n\nThis repository contains the `iam` libraries, which is a collection of packages that control the authentication and authorization of users and services within Openlane. The repo is laid out at a high level containing:\n\n- auth: primarily context interactions type definitions\n- fgax: wrapper to interact with the [OpenFGA go-sdk](https://github.com/openfga/go-sdk) and client libraries\n- entfga: an [ent extension](https://entgo.io/docs/extensions/) to create relationship tuples using [ent Hooks](https://entgo.io/docs/hooks/)\n- providers: third party authentication flow(s); today github, google, oauth2 are supported with webauthn and oidc in-progress\n- sessions: interfaces for managing user sessions with support for Redis as the session store\n- tokens: tokenmanager which can create and validate tokens of various types, e.g. refresh tokens, access tokens, url tokens, etc.\n- totp: second factor authentication library for generating unique, temporary passcodes\n\n### Token Signing (EdDSA)\n\nThe `tokens` package now issues and validates JWTs using Ed25519 (`EdDSA`). A few highlights:\n\n- PEM files referenced in `tokens.Config.Keys` must contain Ed25519 key material encoded as PKCS#8 (`PRIVATE KEY`) with an accompanying `PUBLIC KEY` block.\n- JWKS responses advertise `alg=EdDSA`/`kty=OKP` entries and will interoperate with lestrrat-go/jwx compatible consumers.\n- The `TokenManager` exposes `AddSigningKey`/`NewWithKey` that accept generic `crypto.Signer` implementations; callers need to pass Ed25519 signers and handle returned errors. `CurrentKeyID()` surfaces the active key identifier even when it is not a ULID.\n- The README within `tokens` documents usage in more detail, including signer helper functions.\n\n## Install\n\nYou can install `iam` by running the following command:\n\n```shell\ngo get github.com/theopenlane/iam@latest\n```\n\n## Usage\n\nThe goal of separating out the code that lives within this repo from the `core` repo is to make the authentication and authorization constructs re-usable across repositories / projects. Given that, `core` itself is a large consumer of the IAM repo and thus has many practical [implementation](https://github.com/theopenlane/core/blob/main/internal/httpserve/authmanager/authmanager.go) examples. You can see instantiation of many of these libraries within `serveropts` and `authmanager`.\n\n###  Providers\n\nYou can see practical examples with basic web interface setups within the `core` repository [here](https://github.com/theopenlane/core/tree/main/pkg/testutils)\n\n### JWT Scopes\n\nJWT claims can support per-object scopes. When integrating with [core](https://github.com/theopenlane/core) the scopes can be added in `authmanager` when creating the token pair.\n\n```go\nfunc createClaimsWithOrgScopes(userID, orgID string) *tokens.Claims {\n\treturn \u0026tokens.Claims{\n\t\tRegisteredClaims: jwt.RegisteredClaims{\n\t\t\tSubject: userID,\n\t\t},\n\t\tUserID: userID,\n\t\tOrgID:  orgID,\n\t\tScopes: tokens.PermissionScopes{\n\t\t\tRead:  []string{\"programs\", \"controls\"},\n\t\t\tWrite: []string{\"tasks\"},\n\t\t},\n\t}\n}\n```\n\nSee [tokens/_examples/claims_scopes.go](tokens/_examples/authmanager/claims_scopes.go)\nfor a minimal example\n\n## IAM/FGAX\n\nThis package includes helper functions used heavily in [Openlane Core](https://github.com/theopenlane/core/).\n\nFor example, you can easily check for `Read` access of an organization using\n\n```go\n\t// create client\n\tfgaClient, err := fgax.Client(\"https://fga-host.example.com\")\n\tif err != nil {\n\t\treturn false\n\t}\n\n\t// create access check\n\treq := fgax.AccessCheck{\n\t\tSubjectID:   \"user-id\",\n\t\tSubjectType: \"user\",\n\t\tObjectID:    \"organization-id\",\n\t}\n\n\tallow, err := fgaClient.CheckOrgReadAccess(ctx, req)\n\tif err != nil {\n\t\treturn false\n\t}\n```\n\n## EntFGA\n\nSee the [README](./entfga/README.md) for details\n\n## Contributing\n\nPlease read the [contributing](.github/CONTRIBUTING.md) guide.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftheopenlane%2Fiam","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftheopenlane%2Fiam","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftheopenlane%2Fiam/lists"}