Authly is a flexible Attribute-based Access Control (ABAC) Identity and Access Management (IAM) solution with minimalist Service Mesh control plane and data plane capabilitites (see Security features).
Attributes can be used to model roles, resources, actions and other IAM concepts, and are configured through sequentially applied, declarative TOML documents (see examples/). Policies use these attributes through a simple DSL.
Authly is available as a multi-arch (amd64/arm64) Docker image:
docker run ghcr.io/protojour/authly:pre-alphaIt uses an embedded database and can run independently, in principle. However, it is not intended to run directly exposed to the internet, and should have access to a secrets store. Refer to Quickstart for more complete examples.
Examples should be run using our justfile tasks. Refer to the just documentation for how to install it.
An example Kubernetes deployment is available in testfiles/k8s, which includes the Authly-compatible Arx gateway, OpenBao for its main encryption key, the correct routing and setup for Authly to provision an example service with mTLS, and uses Kubernetes Secrets for its core identity.
just k8s-demo-deploy(depends on cross, k3d, kubectl and helm)
A minimal docker compose development example is available in testfiles/docker/docker-compose.yml.
just docker-test-deployThe Authly server relies on mTLS for service client authentication, and can provision such services with client certificates from a (mesh-local or global) Certificate Authority, either manually (CLI commands), through a native Rust client, through its language bindings (TBA), or a minimalist sidecar proxy (TBA).
It uses an embedded hiqlite database with envelope encrypted user data for encryption-at-rest. The master encryption key should be stored in a secure way.
Authly is not yet audited. We invite anyone to examine or critique its security model, and report any vulnerabilities.
Authly is pre-alpha software, currently with a minimal feature set, but several high-level features are planned:
- Attribute-based data model
- Policy DSL
- High-availability cluster mode
- Database encryption-at-rest
- mTLS provisioning for services
- Kubernetes example setup
- Docker example setup
- Minimal login UI
- Federation and authority/mandate relations
- OAuth 2.0 + OpenID Connect support
-
authly-clientlanguage bindings -
authly-clientstandalone sidecar proxy - Detailed documentation
- User registration and recovery
- SMTP email support
- OATH TOTP support for authenticator apps
- OATH HOTP support for recovery codes
Documentation can be built using mdbook:
# serve documentation with hot reloading
mdbook serve docs
# build HTML documentation
mdbook build docsAuthly is licensed under the GNU Affero General Public License v3.0 (AGPLv3) license. Contact us for commercial licensing options.