https://github.com/theopenlane/iam

identity and access management tooling and wrappers + helpers
https://github.com/theopenlane/iam

authentication authorization fine-grained-authorization go go-library golang hacktoberfest hacktoberfest-2025 openfga sessions

Last synced: 11 days ago
JSON representation

identity and access management tooling and wrappers + helpers

Host: GitHub
URL: https://github.com/theopenlane/iam
Owner: theopenlane
License: apache-2.0
Created: 2024-08-25T17:09:20.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2026-01-25T05:35:41.000Z (18 days ago)
Last Synced: 2026-01-25T07:57:35.185Z (18 days ago)
Topics: authentication, authorization, fine-grained-authorization, go, go-library, golang, hacktoberfest, hacktoberfest-2025, openfga, sessions
Language: Go
Homepage:
Size: 1.21 MB
Stars: 14
Watchers: 1
Forks: 2
Open Issues: 4
Metadata Files:
- Readme: README.md
- Contributing: .github/CONTRIBUTING.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

README

          [![Build status](https://badge.buildkite.com/3346f9d3732a143a78c4da3eb9dcb8f4e9616a64bebd0cbfbd.svg)](https://buildkite.com/theopenlane/iam?branch=main)

[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=theopenlane_iam&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=theopenlane_iam)

[![Go Report Card](https://goreportcard.com/badge/github.com/theopenlane/iam)](https://goreportcard.com/report/github.com/theopenlane/iam)

[![Go Reference](https://pkg.go.dev/badge/github.com/theopenlane/iam.svg)](https://pkg.go.dev/github.com/theopenlane/iam)

[![License: Apache 2.0](https://img.shields.io/badge/License-Apache2.0-brightgreen.svg)](https://opensource.org/licenses/Apache-2.0)

# Identity and Access Management (IAM)

This repository contains the `iam` libraries, which is a collection of packages that control the authentication and authorization of users and services within Openlane. The repo is laid out at a high level containing:

- auth: primarily context interactions type definitions

- fgax: wrapper to interact with the [OpenFGA go-sdk](https://github.com/openfga/go-sdk) and client libraries

- entfga: an [ent extension](https://entgo.io/docs/extensions/) to create relationship tuples using [ent Hooks](https://entgo.io/docs/hooks/)

- providers: third party authentication flow(s); today github, google, oauth2 are supported with webauthn and oidc in-progress

- sessions: interfaces for managing user sessions with support for Redis as the session store

- tokens: tokenmanager which can create and validate tokens of various types, e.g. refresh tokens, access tokens, url tokens, etc.

- totp: second factor authentication library for generating unique, temporary passcodes

### Token Signing (EdDSA)

The `tokens` package now issues and validates JWTs using Ed25519 (`EdDSA`). A few highlights:

- PEM files referenced in `tokens.Config.Keys` must contain Ed25519 key material encoded as PKCS#8 (`PRIVATE KEY`) with an accompanying `PUBLIC KEY` block.

- JWKS responses advertise `alg=EdDSA`/`kty=OKP` entries and will interoperate with lestrrat-go/jwx compatible consumers.

- The `TokenManager` exposes `AddSigningKey`/`NewWithKey` that accept generic `crypto.Signer` implementations; callers need to pass Ed25519 signers and handle returned errors. `CurrentKeyID()` surfaces the active key identifier even when it is not a ULID.

- The README within `tokens` documents usage in more detail, including signer helper functions.

## Install

You can install `iam` by running the following command:

```shell

go get github.com/theopenlane/iam@latest

```

## Usage

The goal of separating out the code that lives within this repo from the `core` repo is to make the authentication and authorization constructs re-usable across repositories / projects. Given that, `core` itself is a large consumer of the IAM repo and thus has many practical [implementation](https://github.com/theopenlane/core/blob/main/internal/httpserve/authmanager/authmanager.go) examples. You can see instantiation of many of these libraries within `serveropts` and `authmanager`.

###  Providers

You can see practical examples with basic web interface setups within the `core` repository [here](https://github.com/theopenlane/core/tree/main/pkg/testutils)

### JWT Scopes

JWT claims can support per-object scopes. When integrating with [core](https://github.com/theopenlane/core) the scopes can be added in `authmanager` when creating the token pair.

```go

func createClaimsWithOrgScopes(userID, orgID string) *tokens.Claims {

	return &tokens.Claims{

		RegisteredClaims: jwt.RegisteredClaims{

			Subject: userID,

		},

		UserID: userID,

		OrgID:  orgID,

		Scopes: tokens.PermissionScopes{

			Read:  []string{"programs", "controls"},

			Write: []string{"tasks"},

		},

	}

}

```

See [tokens/_examples/claims_scopes.go](tokens/_examples/authmanager/claims_scopes.go)

for a minimal example

## IAM/FGAX

This package includes helper functions used heavily in [Openlane Core](https://github.com/theopenlane/core/).

For example, you can easily check for `Read` access of an organization using

```go

	// create client

	fgaClient, err := fgax.Client("https://fga-host.example.com")

	if err != nil {

		return false

	}

	// create access check

	req := fgax.AccessCheck{

		SubjectID:   "user-id",

		SubjectType: "user",

		ObjectID:    "organization-id",

	}

	allow, err := fgaClient.CheckOrgReadAccess(ctx, req)

	if err != nil {

		return false

	}

```

## EntFGA

See the [README](./entfga/README.md) for details

## Contributing

Please read the [contributing](.github/CONTRIBUTING.md) guide.

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/theopenlane/iam

Awesome Lists containing this project

README