This repository contains the iam libraries, which is a collection of packages that control the authentication and authorization of users and services within Openlane. The repo is laid out at a high level containing:
- auth: primarily context interactions type definitions
- fgax: wrapper to interact with the OpenFGA go-sdk and client libraries
- entfga: an ent extension to create relationship tuples using ent Hooks
- providers: third party authentication flow(s); today github, google, oauth2 are supported with webauthn and oidc in-progress
- sessions: interfaces for managing user sessions with support for Redis as the session store
- tokens: tokenmanager which can create and validate tokens of various types, e.g. refresh tokens, access tokens, url tokens, etc.
- totp: second factor authentication library for generating unique, temporary passcodes
You can install iam by running the following command:
go get github.com/theopenlane/iam@latestThe goal of separating out the code that lives within this repo from the core repo is to make the authentication and authorization constructs re-usable across repositories / projects. Given that, core itself is a large consumer of the IAM repo and thus has many practical implementation examples. You can see instantiation of many of these libraries within serveropts and authmanager.
You can see practical examples with basic web interface setups within the core repository here
This package includes helper functions used heavily in Openlane Core.
For example, you can easily check for Read access of an organization using
// create client
fgaClient, err := fgax.Client("https://fga-host.example.com")
if err != nil {
return false
}
// create access check
req := fgax.AccessCheck{
SubjectID: "user-id",
SubjectType: "user",
ObjectID: "organization-id",
}
allow, err := fgaClient.CheckOrgReadAccess(ctx, req)
if err != nil {
return false
}See the README for details
Please read the contributing guide.