An ongoing & curated collection of awesome AuthN+Z software, software best practices and techniques, libraries and frameworks, E-books and videos, websites, blog posts, links to github Repositories, technical guidelines and important resources about Authentication & Authorization & SSO & IAM in Cybersecurity

Thanks to all contributors, you're awesome and wouldn't be possible without you! Our goal is to build a categorized community-driven collection of very well-known resources

Authentication (aka AuthN) and authorization (aka AuthZ) are both security measures. Authentication is the process of verifying who you are. Authorization is the process of verifying that you have access to something. Authorization occurs after successful authentication.

Access priviledges granted to a user, program, or process or the act of granting those privileges.

• Authentication

  • SSO
  • OAuth
  • SAML
  • Two-factor authentication
  • Passwordless authentication

• Authentication Development

  • C#
  • Golang
  • Java
  • Node.js
  • Python
  • Ruby

• Authorization

• Authorization Development

  • Android
  • C#
  • Golang
  • Rust
  • iOS
  • Java
  • Node.js
  • PHP
  • Python
  • Ruby

• Articles

• Identity & Access Management

• Tools

• Other Aggregators

• Cloud Solutions

• Contribute

• License

^ back to top ^

• Casdoor - UI-first centralized authentication / Single-Sign-On (SSO) platform supporting OAuth 2.0 / OIDC and SAML.
• Keycloak - Open Source Identity and Access Management.
• Authelia - The Single Sign-On Multi-Factor portal for web apps.
• ZITADEL - Cloud-native Identity & Access Management platform for secure authentication, authorization and identity management.
• Single sign-on - wiki page about SSO

• Central Authentication Service (CAS) - Open Source Enterprise Single Sign On
• Okta - Identity and Access Management as a service; provides broad integrations
• Auth0 - Identity and Access Management as a service
• Cloud-IAM - Keycloak IAM as a Service
• LoginRadius - Identity and Access Management as a service
• FusionAuth - Identity and Access Management, either a service or self-hosted
• PAC4J - The security library for Java
• buzzfeed/sso - A single sign-on solution for securing internal services (Go based)
• cidaas - Cloud Identity & Access Management (Identity and Access Management as a service)

• RFC6749 - RFC with OAuth2 definition
• Spring Security OAuth - OAuth implementation for Spring
• OAuth server for PHP - OAuth server for PHP
• ORY Hydra - Go based OAuth and OIDC server
• JSON Web Tokens - All you need to know about JWT
• OAuth+JWT in microservices - Good video on how to use tokens in microservices
• OpenID Connect - Identity layer on top of OAuth
• oauth2-proxy - A reverse proxy that provides authentication with Google, Github or other providers.

• SAML - Security Assertion Markup Language wiki page
• Spring Security SAML - SAML implementation for Spring
• SAMLTest SAML Testing service

• U2F and UAF spec - 2FA specifications
• Two Factor Auth - List of websites with 2FA info

• MojoAuth - Email and WebAuthN Authentication
• Sawolabs - Authentication without OTPs and Passwords
• ^ back to top ^

• Xamarin.Auth - Helps developers authenticate users via standard authentication mechanisms (e.g. OAuth 1.0 and 2.0), and store user credentials.
• Kentor Authentication Services - Saml2 authentication services for ASP.NET.
• SimpleAuthentication - ASP.NET library that makes it really easy and simple for developers to add social authentication to an ASP.NET application.
• OwinOAuthProviders - OAuth providers for Owin.
• AspNet.Security.OAuth.Providers - OAuth2 social authentication providers for ASP.NET Core.
• IdentityServer4 - OpenID Connect & OAuth 2.0 framework for ASP.NET Core.

• Casdoor - UI-first centralized authentication / Single-Sign-On (SSO) platform supporting OAuth 2.0 / OIDC and SAML.
• OIDC - OpenID Connect Library (client and server) for Go
• Ory Hydra - OpenID Connect certified OAuth2 server.
• Ory Kratos - API-first Identity and User Management system built for cloud applications.
• Ory Oathkeeper - Identity/Access proxy inspired by the BeyondCorp/Zero-Trust white paper.
• Ory Fosite - Extensible OAuth 2.0 and OpenID Connect SDK for Golang.
• ZITADEL - Cloud-native Identity & Access Management platform for secure authentication, authorization and identity management.

• Apache Shiro - Powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
• pac4j - Security engine for Java (authentication, authorization, multi frameworks): OAuth, CAS, SAML, OpenID Connect, LDAP, JWT.
• Spring Security OAuth - Provides support for using Spring Security with OAuth (1a) and OAuth2.

• Passport - Simple, unobtrusive authentication for Node.js. A comprehensive set of strategies support authentication using a username and password, Facebook, Twitter, and more.
• bell - Third-party authentication plugin for hapi. Ships with built-in support for various well-known sites and simple configuration object will support other OAuth 1.0a and OAuth 2.0 sites.

• Keystone - Provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family.
• Authomatic - Simple yet powerful authorization & authentication client library for Python web applications.
• Python Social Auth - Easy to setup social authentication/registration mechanism with support for several frameworks and auth providers.
• Raider - Web authentication testing framework, which treats the authentication process as finite state machines.

• Authlogic - Clean, simple, and unobtrusive Ruby authentication solution.
• ^ back to top ^

• Role-based access control - wiki page about RBAC
• XACML - XML-based access control markup language
• angular-permissions authorization for AngularJS

^ back to top ^

• AndPermission - Android runtime permission, support the right to apply for permission at any place.

• Casbin.NET - Authorization library that supports access control models like ACL, RBAC, ABAC in .NET (C#).
• DotNetOpenAuth - Implementation of the OpenID, OAuth protocols.
• AuthorizationServer - Sample implementation of an OAuth2 authorization server.

• [Aserto] (https://www.aserto.com) - Fine-grained access controls for cloud-native applications (based on Go). Support role, attribute, and relationship-based access controls.
• Casbin - Authorization library that supports access control models like ACL, RBAC, ABAC in Golang.
• goRBAC - Lightweight role-based access control implementation in Go.
• Ladon - SDK for access control policies: authorization for the microservice and IoT age.
• Foulkon - Authorization server that allows or denies access to web resources.
• Gocialite - Social OAuth login in Go with multiple providers has never been so easy.
• OIDC - OpenID Connect Library (client and server) for Go
• Ory Keto - Access control server capable of solving complex use cases (multi-tenant, attribute-based access control, etc.) with access control policies.
• Oso - Batteries-included framework for building authorization in your Go application.
• ZITADEL - Cloud-native Identity & Access Management platform for secure authentication, authorization and identity management.

• Casbin-Rs - Authorization library that supports access control models like ACL, RBAC, ABAC in Rust.
• Oso - Batteries-included framework for building authorization in your Rust application.

• Permission - Unified API to ask for permissions on iOS.

• jCasbin - Authorization library that supports access control models like ACL, RBAC, ABAC in Java.
• Apache Shiro - Powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
• pac4j - Security engine for Java (authentication, authorization, multi-frameworks): OAuth, CAS, SAML, OpenID Connect, LDAP, JWT.
• AT&T XACML - XACML 3.0 implementation from AT&T.
• Apache Sentry - Highly modular system for providing fine grained role based authorization to both data and metadata stored on an Apache Hadoop cluster.
• TOTP Server-Side Library - TOTP server-side library.
• Oso - Batteries-included framework for building authorization in your Java application.

• Node-Casbin - Authorization library that supports access control models like ACL, RBAC, ABAC in Node.js.
• RBAC - Hierarchical role-based access control for Node.js.
• ABAC - Attribute-based access control for Node.js.
• accesscontrol - Role and attribute-based access control for Node.js.
• Oso - Batteries-included framework for building authorization in your Node.js application.

• PHP-Casbin - Authorization library that supports access control models like ACL, RBAC, ABAC in PHP.
• PHP-RBAC - Authorization library for PHP which provides developers with NIST Level 2 hierarchical role-based access control.
• ezRbac - Simple yet easy to implement role-based access control library for popular PHP framework: Codeigniter.
• php-abac - Attribute-based access control library.
• laravel-permission - Allows you to manage user permissions and roles in a database.
• logical-permissions-php - This is a generic library that provides support for array-based permissions with logic gates such as AND and OR.
• symfony-logical-authorization-bundle - This Symfony bundle provides a unifying solution for authorization that aims to be flexible, convenient and consistent.

• PyCasbin - Authorization library that supports access control models like ACL, RBAC, ABAC in Python.
• Simple RBAC - Simple role-based access control utility for Python.
• Flask-RBAC - Adds RBAC support to Flask.
• Vakt - Attribute-based access control (ABAC) SDK for Python.
• Oso - Batteries-included framework for building authorization in your Python application.

• Oso - Batteries-included framework for building authorization in your Ruby application.
• Pundit - Minimal authorization through OO design and pure Ruby classes.
• Casbin - Authorization library that supports access control models like ACL, RBAC, ABAC in Ruby.
• CanCanCan - Authorization for Ruby on Rails.
• ^ back to top ^

• Modeling Authorization with PERM in Casbin
• Basic Role-Based HTTP Authorization in Go with Casbin
• Policy enforcements on Kubernetes with Banzai Cloud's Pipeline and Casbin
• Organizational RBAC in Argo CD with Casbin
• Authorization Academy: A series of technical guides for building application authorization
• Why Authorization is Hard

^ back to top ^

• Keycloak - Open Source Identity and Access Management
• IdentityServer - .NET based IAM server
• ORY - Open Source Identity Infrastructure and Services (Go based)
• casbin - Go authorization library
• OpenAM - (discontinued), successor of OpenSSO
• WSO2 Identity Server - also has SSO, authZ, ...

^ back to top ^

• Step CLI - A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.
• JWT DEBUGGER - A simple JWT decoder tool, that can help to verify the JWT and with the help of signature.

• awesome-keycloak - A curated list of Keycloak related resources
• casbin/awesome-auth - other auth list
• OAuth code libraries
• OIDC code libraries

^ back to top ^

• AWS IAM - Identity and Access Management for AWS
• AWS SSO - Centrally manage single sign-on (SSO) access to multiple AWS accounts
• Amazon Cognito - SSO for business applications
• AWS Directory Service - AD in the AWS Cloud
• AWS STS - AWS Security Token Service for temporary IAM tokens

• Identity and authentication, the Google Cloud way - Overview of Google approach to identity and access management

• Microsoft identity platform - Evolution of the Azure Active Directory

^ back to top ^

PR is welcomed.

^ back to top ^

MIT License & cc license

This work is licensed under a Creative Commons Attribution 4.0 International License.

To the extent possible under law, Paul Veillard has waived all copyright and related or neighboring rights to this work.

^ back to top ^