Authly is a flexible Attribute-based Access Control (ABAC) Identity and Access Management (IAM) solution with minimalist Service Mesh control plane and data plane capabilitites (see Security features).
Attributes can be used to model roles, resources, actions and other IAM concepts, and are configured through sequentially applied, declarative TOML documents (see examples/). Policies use these attributes through a simple DSL.
Authly is available as a multi-arch (amd64/arm64) Docker image:
docker run ghcr.io/protojour/authlyIt uses an embedded database and can run independently, in principle. However, it is not intended to run directly exposed to the internet, and should have access to a secrets store. Refer to Quickstart for more complete examples.
Examples should be run using our justfile tasks. Refer to the just documentation for how to install it.
An example Kubernetes deployment is available in testfiles/k8s, which includes the Authly-compatible Arx gateway, a Platform Abstraction Layer for secrets, the correct routing and setup for Authly to provision an example service with mTLS, and uses the Kubernetes Secrets for its core identity.
just k8s-test-deployA minimal docker compose development example is available in testfiles/docker/docker-compose.yml.
just docker-testThe Authly server relies on mTLS for service client authentication, and can provision such services with client certificates from a (mesh-local or global) Certificate Authority, either manually (CLI commands), through a native Rust client, through its language bindings (TBA), or a minimalist sidecar proxy (TBA).
It uses an embedded hiqlite database with envelope encrypted user data for encryption-at-rest.
Authly is not yet audited. We invite anyone to examine or critique its security model, and report any vulnerabilities.
Authly is beta software, currently with a minimal feature set, but several high-level features are planned:
- Attribute-based data model
- Policy DSL
- High-availability cluster mode
- Database encryption-at-rest
- mTLS provisioning for services
- Kubernetes example setup
- Docker example setup
- Minimal login UI
- Federation and authority/mandate relations
- OAuth 2.0 (2.1) support
-
authly-clientlanguage bindings -
authly-client-based minimalist sidecar proxy - Detailed documentation
- Improved login UI
- User registration and recovery
- SMTP email support
- OATH TOTP support for authenticator apps
- OATH HOTP support for recovery codes
- OpenID Connect support
- WebAuthn/Passkeys support
Authly is licensed under the GNU Affero General Public License v3.0 (AGPLv3) license. Contact us for commercial licensing options.