/awesome-iam

👤 Identity and Access Management Knowledge for Cloud Platforms

Creative Commons Zero v1.0 UniversalCC0-1.0

Awesome IAM

A curated list of resources on managing accounts, users, roles, permissions, authentication and authorization. Awesome

Trusting is hard. Knowing who to trust, even harder.
— Maria V. Snyder[1]

IAM stands for Identity and Access Management. But is more than handling user accounts: it encompass authentication, authorization and privacy, making this perimeter quite complex. It is an essential pillar of the cloud stack, where users, products and security meets. The other pillar being billing & payments 💰.

This knowledge base expose all the technologies, protocols and jargon of the domain in a comprehensive and actionable manner.

Contents

Overview

In a Stanford class providing an overview of cloud computing, the software architecture of the platform is described as in the right diagram →

Here we set out the big picture: definition and strategic importance of the domain, its place in the larger ecosystem, plus some critical features.

  • The EnterpriseReady SaaS Feature Guides - The majority of the features making B2B users happy will be implemented by the IAM perimeter.

  • IAM is hard. It's really hard. - “Overly permissive AWS IAM policies that allowed s3:GetObject to * (all) resources”, led to $80 million fine for Capital One. The only reason why you can't overlook IAM as a business owner.

  • IAM Is The Real Cloud Lock-In - A little click-baity, but author admit that “It depends on how much you trust them to 1. Stay in business; 2. Not jack up your prices; 3. Not deprecate services out from under you; 4. Provide more value to you in business acceleration than they take away in flexibility.”

Security

Security is one of the most central pillar of IAM foundations. Here are some broad concepts.

Account Management

The foundation of IAM: the definition and life-cycle of users, groups, roles and permissions.

  • As a user, I want… - A meta-critic of account management, in which features expected by the business clash with real user needs, in the form of user stories written by a fictional project manager.

  • Things end users care about but programmers don't - In the same spirit as above, but broader: all the little things we overlook as developers but users really care about. In the top of that list lies account-centric features, diverse integration and import/export tools. I.e. all the enterprise customers needs to cover.

  • Separate the account, user and login/auth details - Sound advice to lay down the foundation of a future-proof IAM API.

  • Identity Beyond Usernames - On the concept of usernames as identifiers, and the complexities introduced when unicode characters meets uniqueness requirements.

  • Kratos - User login, user registration, 2FA and profile management.

  • Conjur - Automatically secures secrets used by privileged users and machine identities.

  • SuperTokens - Open source alternative to Auth0 / Firebase Auth / AWS Cognito.

  • UserFrosting - Modern PHP user login and management framework.

Cryptography

The whole authentication stack is based on cryptography primitives. This can't be overlooked.

Zero-trust Network

Zero trust network security operates under the principle “never trust, always verify”.

  • BeyondCorp: A New Approach to Enterprise Security - Quick overview of Google's Zero-trust Network initiative.

  • What is BeyondCorp? What is Identity-Aware Proxy? - More companies add extra layers of VPNs, firewalls, restrictions and constraints, resulting in a terrible experience and a slight security gain. There's a better way.

  • oathkeeper - Identity & Access Proxy and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP requests. Inspired by the BeyondCorp / Zero Trust white paper.

  • transcend - BeyondCorp-inspired Access Proxy server.

  • Pomerium - An identity-aware proxy that enables secure access to internal applications.

Authentication

Protocols and technologies to verify that you are who you pretend to be.

Password-based

Password-less

  • An argument for passwordless - Passwords are not the be-all and end-all of user authentication. This article tries to tell you why.

  • WebAuthn guide - A very accessible guide to WebAuthn, a standard allowing “servers to register and authenticate users using public key cryptography instead of a password”, supported by all major browsers.

Security Key

  • Webauthn and security keys - Describe how authentication works with security keys, details the protocols, and how they articulates with WebAuthn. Key takeaway: “There is no way to create a U2F key with webauthn however. (…) So complete the transition to webauthn of your login process first, then transition registration.”

  • Getting started with security keys - A practical guide to stay safe online and prevent phishing with FIDO2, WebAuthn and security keys.

  • Solo - Open security key supporting FIDO2 & U2F over USB + NFC.

  • OpenSK - Open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

  • YubiKey Guide - Guide to using YubiKey as a SmartCard for storing GPG encryption, signing and authentication keys, which can also be used for SSH. Many of the principles in this document are applicable to other smart card devices.

  • YubiKey at Datadog - Guide to setup Yubikey, U2F, GPG, git, SSH, Keybase, VMware Fusion and Docker Content Trust.

Multi-Factor

SMS-based

TL;DR: don't. For details, see articles below.

Public-Key Infrastructure (PKI)

Certificate-based authentication.

  • PKI for busy people - Quick overview of the important stuff.

  • Everything you should know about certificates and PKI but are too afraid to ask - PKI lets you define a system cryptographically. It's universal and vendor neutral.

  • lemur - Acts as a broker between CAs and environments, providing a central portal for developers to issue TLS certificates with 'sane' defaults.

  • CFSSL - A swiss army knife for PKI/TLS by CloudFlare. Command line tool and an HTTP API server for signing, verifying, and bundling TLS certificates.

  • JA3 - Method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.

JWT

JSON Web Token is a bearer's token.

OAuth2 & OpenID

OAuth 2.0 is an authorization framework. OpenID Connect (OIDC) is an authentication layer on top of it.

The old OpenID is dead; the new OpenID Connect is very much not-dead.

  • An Illustrated Guide to OAuth and OpenID Connect - Explain how these standards work using simplified illustrations.

  • OAuth 2 Simplified - A reference article describing the protocol in simplified format to help developers and service providers implement it.

  • OAuth 2.0 and OpenID Connect (in plain English) - Starts with an historical context on how these standards came to be, clears up the innacuracies in the vocabulary, then details the protocols and its pitfalls to make it less intimidating.

  • Everything You Need to Know About OAuth (2.0) - A good overview with a practical case study on how Teleport, an open-source remote access tool, allows users to log in through GitHub SSO.

  • OAuth in one picture - A nice summary card.

  • How to Implement a Secure Central Authentication Service in Six Steps - Got multiple legacy systems to merge with their own login methods and accounts? Here is how to merge all that mess by the way of OIDC.

  • Open-Sourcing BuzzFeed's SSO Experience - OAuth2-friendly adaptation of the Central Authentication Service (CAS) protocol. You'll find there good OAuth user flow diagrams.

  • The Decline of OpenID - OpenID is being replaced in the public web to a mix of OAuth 1, OAuth 2 or other proprietary SSO protocols.

  • Why Mastercard Doesn't Use OAuth 2.0 - “They did this to provide message-level integrity. OAuth 2 switched to Transport-level confidentiality/Integrity.” (which TLS provides) (source).

  • OAuth 2.0 Security Best Current Practice - “Updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application”.

  • Hidden OAuth attack vectors - How to identify and exploit some of the key vulnerabilities found in OAuth 2.0 authentication mechanisms.

  • PKCE Explained - “PKCE is used to provide one more security layer to the authorization code flow in OAuth and OpenID Connect.”

  • Hydra - Open-source OIDC & OAuth2 Server.

  • Cierge - Open-source authentication server (OIDC) that handles user signup, login, profiles, management, and more.

  • Keycloak - Open-source Identity and Access Management. Supports OIDC, OAuth 2 and SAML 2, LDAP and AD directories, password policies.

  • Casdoor - A UI-first centralized authentication / Single-Sign-On (SSO) platform based. Supports OIDC and OAuth 2, social logins, user management, 2FA based on Email and SMS.

  • IdentityServer - Free, open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core.

  • authentik - Open-source Identity Provider similar to Keycloak.

  • ZITADEL - An Open-Source solution built with Go and Angular to manage all your systems, users and service accounts together with their roles and external identities. ZITADEL provides you with OIDC, OAuth 2.0, login & register flows, passwordless and MFA authentication. All this is built on top of eventsourcing in combination with CQRS to provide a great audit trail.

  • a12n-server - A simple authentication system which only implements the relevant parts of the OAuth2 standards.

SAML

Security Assertion Markup Language (SAML) 2.0 is a means to exchange authorization and authentication between services, like OAuth/OpenID protocols above.

Typical SAML identity provider is an institution or a big corporation's internal SSO, while the typical OIDC/OAuth provider is a tech company that runs a data silo.

Authorization

Now that we know you are you, are you allowed to perform what you want to do?

Policy specification is the science, enforcement is the art.

Policy models

As a concept, access control policies can be designed to follow very different archetypes, from classic Access Control Lists to Role Based Access Control. In this section we explore lots of different patterns and architectures.

Open-source policy frameworks

Collection of open-source projects if you're looking to roll your own policy implementation.

  • Keto - Policy decision point. It uses a set of access control policies, similar to AWS policies, in order to determine whether a subject is authorized to perform a certain action on a resource.

  • Ladon - Access control library, inspired by AWS.

  • Athenz - Set of services and libraries supporting service authentication and role-based authorization (RBAC) for provisioning and configuration.

  • Casbin - Open-source access control library for Golang projects.

  • Open Policy Agent - Allows end to end testing of your policies across SQL, Kubernetes, Terraform, Kafka, Envoy, S3 (via Minio), EC2/ECS/Lambda (Linux).

  • Open Policy Administration Layer - Open Source administration layer for OPA, detecting changes to both policy and policy data in realtime and pushing live updates to OPA agents. OPAL brings open-policy up to the speed needed by live applications.

  • Gubernator - High performance rate-limiting micro-service and library.

  • Biscuit - Biscuit merge concepts from cookies, JWTs, macaroons and Open Policy Agent. “It provide a logic language based on Datalog to write authorization policies. It can store data, like JWT, or small conditions like Macaroons, but it is also able to represent more complex rules like role-based access control, delegation, hierarchies.”

  • Oso - A batteries-included library for building authorization in your application.

  • Cerbos - An authorization endpoint to write context-aware access control policies.

AWS policy tools

Tools and resources exclusively targetting the AWS IAM policies ecosystem.

  • Become an AWS IAM Policy Ninja - “In my nearly 5 years at Amazon, I carve out a little time each day, each week to look through the forums, customer tickets to try to find out where people are having trouble.”

  • Cloudsplaining - Security assessment tool that identifies violations of least privilege and generates a risk-prioritized report.

  • Policy Sentry - Writing security-conscious IAM Policies by hand can be very tedious and inefficient. Policy Sentry helps users to create least-privilege policies in a matter of seconds.

  • Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.

  • Principal Mapper - Quickly evaluates permissions.

  • PolicyUniverse - Parse and process AWS policies, statements, ARNs, and wildcards.

  • IAM Floyd - AWS IAM policy statement generator with fluent interface. Helps with creating type safe IAM policies and writing more restrictive/secure statements by offering conditions and ARN generation via IntelliSense. Available for Node.js, Python, .Net and Java.

  • ConsoleMe - A self-service tool for AWS that provides end-users and administrators credentials and console access to the onboarded accounts based on their authorization level of managing permissions across multiple accounts, while encouraging least-privilege permissions.

Macaroons

A clever curiosity to distribute and delegate authorization.

Secret Management

Architectures, software and hardware allowing the storage and usage of secrets to allow for authentication and authorization, while maintaining the chain of trust.

  • Secret at Scale at Netflix - Solution based on blind signatures. See the slides.

  • High Availability in Google's Internal KMS - Not GCP's KMS, but the one at the core of their infrastructure. See the slides.

  • vault - Secure, store and tightly control access to tokens, passwords, certificates, encryption keys.

  • sops - Encrypts the values of YAML and JSON files, not the keys.

  • gitleaks - Audit git repos for secrets.

  • truffleHog - Searches through git repositories for high entropy strings and secrets, digging deep into commit history.

  • Keywhiz - A system for managing and distributing secrets, which can fit well with a service oriented architecture (SOA).

  • roca - Python module to check for weak RSA moduli in various key formats.

Hardware Security Module (HSM)

HSMs are physical devices guaranteeing security of secret management at the hardware level.

Trust & Safety

Once you've got a significant user base, it is called a community. You'll then be responsible to protect it: the customer, people, the company, the business, and facilitate all interactions and transactions happening therein.

A critical intermediation complex driven by a policy and constraint by local laws, the Trust & Safety department is likely embodied by a cross-functional team of 24/7 operators and systems of highly advanced moderation and administration tools. You can see it as an extension of customer support services, specialized in edge-cases like manual identity checks, moderation of harmful content, stopping harassment, handling of warrants and copyright claims, data sequestration and other credit card disputes.

User Identity

Most businesses do not collect customer's identity to create user profiles to sell to third party, no. But you still have to: local laws require to keep track of contract relationships under the large Know You Customer (KYC) banner.

  • The Laws of Identity - Is this paper aims at identity metasystem, its laws still provides great insights at smaller scale, especially the first law: to always allow user control and ask for consent to earn trust.

  • How Uber Got Lost - “To limit "friction" Uber allowed riders to sign up without requiring them to provide identity beyond an email — easily faked — or a phone number. (…) Vehicles were stolen and burned; drivers were assaulted, robbed and occasionally murdered. The company stuck with the low-friction sign-up system, even as violence increased.”

  • A Comparison of Personal Name Matching: Techniques and Practical Issues - Customer name matching has lots of application, from account deduplication to fraud monitoring.

  • Statistically Likely Usernames - Wordlists for creating statistically likely usernames for use in username-enumeration, simulated password-attacks and other security testing tasks.

  • Facebook Dangerous Individuals and Organizations List - Some groups and content are illegal in some juridictions. This is an example of a blocklist.

  • Sherlock - Hunt down social media accounts by username across social networks.

Fraud

As an online service provider, you're exposed to fraud, crime and abuses. You'll be surprised by how much people gets clever when it comes to money. Expect any bug or discrepancies in your workflow to be exploited for financial gain.

Moderation

Any online communities, not only those related to gaming and social networks, requires their operator to invest a lot of resource and energy to moderate it.

  • Still Logged In: What AR and VR Can Learn from MMOs - “If you host an online community, where people can harm another person: you are on the hook. And if you can't afford to be on the hook, don't host an online community”.

  • You either die an MVP or live long enough to build content moderation - “You can think about the solution space for this problem by considering three dimensions: cost, accuracy and speed. And two approaches: human review and machine review. Humans are great in one of these dimensions: accuracy. The downside is that humans are expensive and slow. Machines, or robots, are great at the other two dimensions: cost and speed - they're much cheaper and faster. But the goal is to find a robot solution that is also sufficiently accurate for your needs.”

  • Keep out the bad apples: How to moderate a marketplace - “With great power comes great responsibility. Some of my tips and tricks to make your marketplace a safer place.”

  • The despair and darkness of people will get to you - Moderation of huge social networks is performed by an army of outsourced subcontractors. These people are exposed to the worst and generally ends up with PTSD.

  • The Cleaners - A documentary on these teams of underpaid people removing posts and deleting accounts.

Threat Intelligence

How to detect, unmask and classify offensive online activities. Most of the time these are monitored by security, networking and/or infrastructure engineering teams. Still, these are good resources for T&S and IAM people, who might be called upon for additional expertise for analysis and handling of threats.

  • Awesome Threat Intelligence - “A concise definition of Threat Intelligence: evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.”

  • SpiderFoot - An open source intelligence (OSINT) automation tool. It integrates with just about every data source available and uses a range of methods for data analysis, making that data easy to navigate.

  • Standards related to Threat Intelligence - Open standards, tools and methodologies to support threat intelligence analysis.

  • MISP taxonomies and classification - Tags to organize information on “threat intelligence including cyber security indicators, financial fraud or counter-terrorism information.”

  • Browser Fingerprinting: A survey - Fingerprints can be used as a source of signals to identify bots and fraudsters.

  • The challenges of file formats - At one point you will let users upload files in your system. Here is a corpus of suspicious media files that can be leveraged by scammers =to bypass security or fool users.

  • SecLists - Collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

  • PhishingKitTracker - CSV database of email addresses used by threat actor in phishing kits.

  • PhoneInfoga - Tools to scan phone numbers using only free resources. The goal is to first gather standard information such as country, area, carrier and line type on any international phone numbers with a very good accuracy. Then search for footprints on search engines to try to find the VoIP provider or identify the owner.

  • Confusable Homoglyphs - Homoglyphs is a common phishing trick.

Captcha

Another line of defense against spammers.

  • Awesome Captcha - Reference all open-source captcha libraries, integration, alternatives and cracking tools.

  • reCaptcha - reCaptcha is still an effective, economical and quick solution when your company can't afford to have a dedicated team to fight bots and spammers at internet scale.

  • You (probably) don't need ReCAPTCHA - Starts with a rant on how the service is a privacy nightmare and is tedious UI-wise, then list alternatives.

  • Anti-captcha - Captchas solving service.

Blocklists

The first mechanical line of defense against abuses consist in plain and simple deny-listing. This is the low-hanging fruit of fraud fighting, but you'll be surprised how they're still effective.

Hostnames and Subdomains

Useful to identified clients, catch and block swarms of bots, and limit effects of dDOS.

Emails

  • Burner email providers - A list of temporary email providers. And its derivative Python module.

  • MailChecker - Cross-language temporary (disposable/throwaway) email detection library.

  • Temporary Email Address Domains - A list of domains for disposable and temporary email addresses. Useful for filtering your email list to increase open rates (sending email to these domains likely will not be opened).

  • gman - “A ruby gem to check if the owner of a given email address or website is working for THE MAN (a.k.a verifies government domains).” Good resource to hunt for potential government customers in your user base.

  • Swot - In the same spirit as above, but this time to flag academic users.

Reserved IDs

Profanity

Privacy

As the guardian of user's data, the IAM stack is deeply bounded by the respect of privacy.

Anonymization

As a central repository of user data, the IAM stack stakeholders have to prevent any leakage of business and customer data. To allow for internal analytics, anonymization is required.

GDPR

The well-known European privacy framework

UX/UI

As stakeholder of the IAM stack, you're going to implement in the backend the majority of the primitives required to build-up the sign-up tunnel and user onboarding. This is the first impression customers will get from your product, and can't be overlooked: you'll have to carefully design it with front-end experts. Here is a couple of guides to help you polish that experience.

Competitive Analysis

A bunch of resources to keep track of the current status and progress of all companies operating in the domain.

History

  • cryptoanarchy.wiki - Cypherpunks overlaps with security. This wiki compiles information about the movement, its history and the people/events of note.

Contributing

Your contributions are always welcome! Please take a look at the contribution guidelines first.

Footnotes

The header image is based on a modified photo by Ben Sweet.

[1]: Poison Study (Mira, 2007). [↑]