Home

Awesome

<!--lint disable awesome-heading--> <p align="center"> <a href="https://github.com/kdeldycke/awesome-iam#readme"> <img src="https://raw.githubusercontent.com/kdeldycke/awesome-iam/main/assets/awesome-iam-header.jpg" alt="Awesome IAM"> </a> </p> <p align="center"> <a href="https://github.com/kdeldycke/awesome-iam#readme" hreflang="en"><img src="https://img.shields.io/badge/lang-English-blue?style=flat-square" lang="en" alt="English"></a> <a href="https://github.com/kdeldycke/awesome-iam/blob/main/readme.zh.md" hreflang="zh"><img src="https://img.shields.io/badge/lang-中文-blue?style=flat-square" lang="zh" alt="中文"></a> </p> <p align="center"> <sup>This list is <a href="#sponsor-def">sponsored<sup id="sponsor-ref">[0]</sup></a> by:</sup><br> </p> <p align="center"> <a href="https://www.descope.com/?utm_source=awesome-iam&utm_medium=referral&utm_campaign=awesome-iam-oss-sponsorship"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/kdeldycke/awesome-iam/main/assets/descope-logo-dark-background.svg"> <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/kdeldycke/awesome-iam/main/assets/descope-logo-light-background.svg"> <img width="300" src="https://raw.githubusercontent.com/kdeldycke/awesome-iam/main/assets/descope-logo-light-background.svg"> </picture> <br/> <strong>Drag and drop your auth.</strong><br/> Add authentication, user management, and authorization to your app with a few lines of code. </a> <br/><br/> </p> <p align="center"> <a href="https://www.cerbos.dev/?utm_campaign=brand_cerbos&utm_source=awesome_iam&utm_medium=github&utm_content=&utm_term="> <img width="600" src="https://raw.githubusercontent.com/kdeldycke/awesome-iam/main/assets/cerbos-banner.svg"> <br/> Build scalable, fine-grained authorization for your apps. <strong>Try Cerbos</strong>, an authorization management system for authoring, testing, and deploying access policies. </a> <br/><br/> </p> <!-- Comment this sponsorship call-to-action if there is a sponsor logo to increase its impact. --> <!-- <p align="center"> <a href="https://github.com/sponsors/kdeldycke"> <strong>Yᴏᴜʀ Iᴅᴇɴᴛɪᴛʏ & Aᴜᴛʜᴇɴᴛɪᴄᴀᴛɪᴏɴ Pʀᴏᴅᴜᴄᴛ ʜᴇʀᴇ!</strong> <br/> <sup>Add a link to your company or project here: back me up via a GitHub sponsorship.</sup> </a> <br/><br/> </p> -->
<p align="center"> <i>Trusting is hard. Knowing who to trust, even harder.</i><br> — Maria V. Snyder<sup id="intro-quote-ref"><a href="#intro-quote-def">[1]</a></sup> </p> <!--lint disable double-link-->

IAM stands for Identity and Access Management. It is a complex domain which covers user accounts, authentication, authorization, roles, permissions and privacy. It is an essential pillar of the cloud stack, where users, products and security meets. The other pillar being billing & payments 💰.

This curated Awesome list expose all the technologies, protocols and jargon of the domain in a comprehensive and actionable manner.

<!--lint enable double-link-->

Contents

<!-- mdformat-toc start --slug=github --no-anchors --maxlevel=6 --minlevel=2 --> <!-- mdformat-toc end -->

Overview

<img align="right" width="50%" src="./assets/cloud-software-stack-iam.jpg"/>

In a Stanford class providing an overview of cloud computing, the software architecture of the platform is described as in the right diagram →

Here we set out the big picture: definition and strategic importance of the domain, its place in the larger ecosystem, plus some critical features.

Security

Security is one of the most central pillar of IAM foundations. Here are some broad concepts.

Account Management

The foundation of IAM: the definition and life-cycle of users, groups, roles and permissions.

Cryptography

The whole authentication stack is based on cryptography primitives. This can't be overlooked.

Identifiers

Tokens, primary keys, UUIDs, … Whatever the end use, you'll have to generate these numbers with some randomness and uniqueness properties.

Zero-trust Network

Zero trust network security operates under the principle “never trust, always verify”.

Authentication

Protocols and technologies to verify that you are who you pretend to be.

Password-based auth

The oldest scheme for auth.

Multi-factor auth

Building upon password-only auth, users are requested in these schemes to present two or more pieces of evidence (or factors).

SMS-based

TL;DR: don't. For details, see articles below.

Password-less auth

WebAuthn

Part of the FIDO2 project, and also known under the user-friendly name of passkeys.

Security key

Public-Key Infrastructure (PKI)

Certificate-based authentication.

JWT

JSON Web Token is a bearer's token.

Authorization

Now we know you are you. But are you allowed to do what you want to do?

Policy specification is the science, enforcement is the art.

Policy models

As a concept, access control policies can be designed to follow very different archetypes, from classic Access Control Lists to Role Based Access Control. In this section we explore lots of different patterns and architectures.

RBAC frameworks

Role-Based Access Control is the classical model to map users to permissions by the way of roles.

ABAC frameworks

Attribute-Based Access Control is an evolution of RBAC, in which roles are replaced by attributes, allowing the implementation of more complex policy-based access control.

ReBAC frameworks

The Relationship-Based Access Control model is a more flexible and powerful version of RBAC and is the preferred one for cloud systems.

AWS policy tools

Tools and resources exclusively targeting the AWS IAM policies ecosystem.

Macaroons

A clever curiosity to distribute and delegate authorization.

Other tools

OAuth2 & OpenID

OAuth 2.0 is a delegated authorization framework. OpenID Connect (OIDC) is an authentication layer on top of it.

The old OpenID is dead; the new OpenID Connect is very much not-dead.

SAML

Security Assertion Markup Language (SAML) 2.0 is a means to exchange authorization and authentication between services, like OAuth/OpenID protocols above.

Typical SAML identity provider is an institution or a big corporation's internal SSO, while the typical OIDC/OAuth provider is a tech company that runs a data silo.

Secret Management

Architectures, software and hardware allowing the storage and usage of secrets to allow for authentication and authorization, while maintaining the chain of trust.

Hardware Security Module (HSM)

HSMs are physical devices guaranteeing security of secret management at the hardware level.

Trust & Safety

Once you've got a significant user base, it is called a community. You'll then be responsible to protect it: the customer, people, the company, the business, and facilitate all interactions and transactions happening therein.

A critical intermediation complex driven by a policy and constraint by local laws, the Trust & Safety department is likely embodied by a cross-functional team of 24/7 operators and systems of highly advanced moderation and administration tools. You can see it as an extension of customer support services, specialized in edge-cases like manual identity checks, moderation of harmful content, stopping harassment, handling of warrants and copyright claims, data sequestration and other credit card disputes.

<!--lint disable double-link--> <!--lint enable double-link-->

User Identity

Most businesses do not collect customer's identity to create user profiles to sell to third party, no. But you still have to: local laws require to keep track of contract relationships under the large Know You Customer (KYC) banner.

Fraud

As an online service provider, you're exposed to fraud, crime and abuses. You'll be surprised by how much people gets clever when it comes to money. Expect any bug or discrepancies in your workflow to be exploited for financial gain.

Moderation

Any online communities, not only those related to gaming and social networks, requires their operator to invest a lot of resource and energy to moderate it.

Threat Intelligence

How to detect, unmask and classify offensive online activities. Most of the time these are monitored by security, networking and/or infrastructure engineering teams. Still, these are good resources for T&S and IAM people, who might be called upon for additional expertise for analysis and handling of threats.

Captcha

Another line of defense against spammers.

Blocklists

The first mechanical line of defense against abuses consist in plain and simple deny-listing. This is the low-hanging fruit of fraud fighting, but you'll be surprised how they're still effective.

Hostnames and Subdomains

Useful to identified clients, catch and block swarms of bots, and limit effects of dDOS.

Emails

Reserved IDs

Profanity

Privacy

As the guardian of user's data, the IAM stack is deeply bounded by the respect of privacy.

Anonymization

As a central repository of user data, the IAM stack stakeholders have to prevent any leakage of business and customer data. To allow for internal analytics, anonymization is required.

GDPR

The well-known European privacy framework

UX/UI

As stakeholder of the IAM stack, you're going to implement in the backend the majority of the primitives required to build-up the sign-up tunnel and user onboarding. This is the first impression customers will get from your product, and can't be overlooked: you'll have to carefully design it with front-end experts. Here is a couple of guides to help you polish that experience.

Competitive Analysis

Keep track on the activity of open-source projects and companies operating in the domain.

History

Contributing

Your contributions are always welcome! Please take a look at the contribution guidelines first.

Footnotes

The header image is based on a modified photo by Ben Sweet.

<!--lint disable no-undefined-references-->

<a name="sponsor-def">[0]</a>: You can <a href="https://github.com/sponsors/kdeldycke">add your Identity & Authentication product in the list of sponsors via a GitHub sponsorship</a>. [↑]

<a name="intro-quote-def">[1]</a>: Poison Study (Mira, 2007). [↑]