Access Control

Casbin is an authorization library that provides a model-based engine for enforcing access control across diverse application environments. It decouples authorization logic from application code by using a configuration-driven approach, allowing developers to define access rules and evaluation logic independently. The system supports a wide range of access control models, including role-based, attribute-based, and relationship-based patterns, which are evaluated at runtime to determine if a subject is permitted to perform an action on a resource. The project distinguishes itself through a highly modular architecture that includes adapter-based storage abstraction, enabling the engine to connect to various persistent backends for policy management. It supports complex, context-aware policy execution by allowing developers to inject custom functions for domain-specific matching and validation. Furthermore, the engine handles hierarchical role resolution and provides mechanisms for aggregating multiple policy outcomes, such as allow-override or deny-override, to resolve conflicting permissions. The platform covers a broad capability surface, including middleware integration for web frameworks, API gateways, and service mesh architectures. It offers extensive tooling for policy administration, observability, and performance optimization, such as result caching and asynchronous execution. The system also supports multi-tenancy through domain-aware authorization and provides programmatic interfaces for automating policy updates and lifecycle management. The library is designed for integration into existing stacks, offering middleware components and support for distributed deployments to ensure consistent authorization state across multiple service instances.

Authentik is a centralized identity and access management platform designed to serve as a unified authentication authority. It enables enterprise single sign-on across diverse applications and services, providing a cloud-native identity provider that manages user sessions and security protocols from a single location. The platform distinguishes itself through a policy-driven flow engine and a visual orchestration interface. This allows administrators to design complex, custom authentication workflows by chaining modular verification stages and conditional logic. These workflows can be further refined with granular access policies that evaluate user attributes and environmental conditions, ensuring that security requirements are met through flexible, logic-based rules rather than static configurations. Beyond core authentication, the system supports infrastructure-wide automation through declarative blueprints and container-based deployment models. It includes comprehensive tools for user account management, background task scheduling, and system monitoring, all accessible via a centralized administrative dashboard. The platform is designed for high availability and scalability, allowing for integration with external databases and various cloud-native environments. The software is distributed as a containerized service, with installation supported through standard package managers and configuration templates.

Kanidm is a centralized identity management server designed to handle authentication, authorization, and directory services across distributed infrastructure. It provides a comprehensive framework for managing human and service accounts, utilizing a schema-driven database to store identity records, group memberships, and system attributes. The platform supports a wide range of authentication methods, including passkeys, passwords, and standard protocols like OAuth2, OIDC, LDAP, and RADIUS. The system distinguishes itself through a granular access control engine that enforces security policies based on user, group, and resource attributes. It incorporates advanced security features such as privilege access mode enforcement, which requires reauthentication for sensitive operations, and high-privilege group tainting to prevent lateral movement. Administrators can delegate management tasks for specific entries or groups, ensuring that permissions remain tightly scoped while maintaining operational flexibility. Beyond core identity functions, the platform includes robust tools for system maintenance, including automated backup scheduling, database consistency verification, and multi-node replication to ensure high availability. It also provides deep integration with host operating systems through pluggable authentication modules and supports infrastructure access provisioning by managing SSH keys and POSIX attributes. The project provides a suite of command-line utilities for administrative tasks, session management, and server configuration. Documentation and installation resources are available to guide the deployment of the server and its associated client tools.

Casdoor is a centralized identity and access management platform that functions as an OAuth 2.0 authorization server. It provides a comprehensive suite of services for managing user identities, authentication sessions, and access policies across both web and machine-to-machine applications. Built with a decoupled frontend-backend architecture in Go, the platform supports high-concurrency environments and offers a web-based management interface for administrative tasks. The platform distinguishes itself through its extensive support for federated identity management, allowing integration with external providers via OIDC, SAML, and LDAP. It enforces granular security through role-based access control, scope-based permission validation, and hardware-backed authentication methods like WebAuthn. Beyond standard identity services, it includes specialized infrastructure for managing AI agent lifecycles, monitoring agent traffic, and securing tool access through delegated authentication. The system provides a broad capability surface that includes observability and audit logging, event-driven webhook notifications, and automated session management. It also offers developer-focused tools such as CLI-based authentication flows, secure token storage, and software development kits for integrating identity verification into external services. The platform is designed for flexible deployment, supporting configuration via JSON-based data initialization and providing APIs for querying system status and version information.

Kratos is a centralized identity and access management server designed to handle user registration, authentication, and profile management. It functions as an identity flow orchestrator, managing the state and security of authentication processes across web, mobile, and command-line interfaces. The system provides a standards-compliant authorization server that issues tokens and manages delegated access for third-party applications and internal services, supporting multi-factor authentication and custom identity schemas to secure user accounts. The project distinguishes itself through a headless architecture that decouples identity flows from the user interface. By providing JSON-based API responses, it allows developers to build custom authentication experiences for any platform. It also implements a relationship-based access control model, which evaluates permissions by traversing a directed graph of relationships between subjects and objects. This approach enables fine-grained access control, allowing developers to model complex authorization requirements and verify user permissions dynamically across distributed software systems. Beyond core identity and authorization, the platform includes extensive developer tooling, such as language-specific client libraries and a command-line interface for managing projects and authentication sessions. It supports lifecycle extensions through hooks, allowing custom business logic to trigger after specific identity events. The system also provides robust session management using cryptographically signed tokens that track authentication assurance levels, ensuring consistent security across disparate application boundaries.

SuperTokens Core is an open-source, self-hosted authentication and identity management platform designed for deployment within private infrastructure. It provides a comprehensive suite for managing user accounts, roles, and secure authentication flows, utilizing a modular, recipe-based architecture that allows developers to enable specific security features without modifying the core codebase. The platform distinguishes itself through its robust multi-tenancy capabilities, which allow for the logical or physical isolation of user records and configuration settings across different organizational environments. It employs a claims-based session management model that uses cryptographically signed tokens to enable stateless authorization, alongside an event-driven hook system that triggers custom business logic during authentication lifecycle events. The system covers a broad capability surface, including diverse authentication methods such as passwordless flows, social and enterprise single sign-on, and hardware-backed passkey support. It also integrates advanced security features like threat detection, multi-factor authentication enforcement, and granular role-based access control, while providing tools for session monitoring, request tracing, and user data migration from legacy systems. The project is designed to be run as a containerized service, offering horizontal scalability to handle varying traffic loads. Detailed documentation and administrative interfaces are available to assist with environment configuration, UI theming, and the integration of custom authentication logic.

OpenZeppelin Contracts is a library of modular, secure, and reusable smart contract components designed for the development of decentralized applications. It provides a foundational framework for building standard-compliant contracts, offering battle-tested implementations for token standards, access control, and common utility patterns. The project distinguishes itself through its comprehensive support for complex architectural patterns, including proxy-based upgradeability, role-based access control, and account abstraction. It enables developers to implement modular logic injection via hooks and storage-namespace isolation, ensuring that contracts remain maintainable and secure as they evolve. These features allow for the creation of sophisticated systems, such as tokenized vaults, cross-chain messaging infrastructure, and decentralized governance mechanisms, while maintaining strict adherence to industry standards. Beyond its core components, the library covers a broad capability surface including cryptographic utilities, data integrity verification, and automated task scheduling. It provides specialized tools for managing asset lifecycles, including vesting schedules, supply management, and royalty configurations, alongside frameworks for smart account development and signature-based meta-transactions. The repository serves as a primary resource for Solidity developers, offering extensive documentation and pre-built templates to accelerate the deployment of secure, production-ready smart contracts.

DataHub is a metadata management platform designed to unify technical, operational, and business context across diverse data ecosystems. By utilizing a graph-based metadata model and an event-driven ingestion architecture, it creates a centralized source of truth that maps complex data relationships, lineage, and ownership. This foundational framework enables organizations to maintain a synchronized view of their data landscape, supporting both human-led discovery and automated data operations. The platform distinguishes itself through its focus on grounding artificial intelligence and autonomous agents in verified enterprise context. It provides specialized capabilities to inject provenance-aware lineage, business definitions, and quality signals into AI prompts, ensuring that generated insights are accurate and trustworthy. Through a policy-as-code governance engine, it enforces access controls and compliance rules directly within the metadata graph, allowing for programmatic oversight of data assets across hybrid environments. Beyond its core identity, the project offers a comprehensive suite of tools for data discovery, observability, and lifecycle management. It includes features for automated lineage extraction, impact analysis, and semantic search, enabling users to navigate data dependencies and resolve quality issues efficiently. The platform also supports collaborative workflows, allowing teams to manage business glossaries, certify data assets, and automate access requests through integrated communication channels. DataHub is built to scale, utilizing a distributed architecture that allows storage, search, and graph processing layers to operate independently. It provides standardized interfaces and a bridge-based connector framework to facilitate integration with heterogeneous data sources and external AI agent frameworks.

Infisical is a centralized secrets management platform designed to store, synchronize, and control access to sensitive credentials and configuration data across distributed development, staging, and production environments. It employs client-side encryption to ensure that secrets remain unreadable to the underlying storage infrastructure, while providing a hierarchical permission model to govern both user and machine access. The platform distinguishes itself through dynamic credential provisioning, which generates short-lived access tokens that are automatically revoked after use. It supports complex security workflows by integrating with external identity providers for federated authentication and offering a reverse tunneling gateway that allows secure access to private network resources without exposing inbound ports. Additionally, the system includes an event-driven audit engine that maintains an immutable record of all configuration changes and access requests to support compliance requirements. Beyond core secret storage, the platform provides comprehensive orchestration capabilities, including automated secret injection into containerized environments and infrastructure pipelines. It also features integrated public key infrastructure management for the lifecycle of digital certificates and automated scanning to detect hardcoded secrets in source code and CI pipelines. The platform supports flexible deployment models, allowing teams to either utilize managed cloud services or self-host the infrastructure within their own private networks. It provides a broad ecosystem of SDKs and a command-line interface to facilitate integration across various programming languages and deployment workflows.