awesome-iam

<!--lint disable awesome-heading--> <p align="center"> <a href="https://github.com/kdeldycke/awesome-iam#readme"> <img src="https://raw.githubusercontent.com/kdeldycke/awesome-iam/main/assets/awesome-iam-header.jpg" alt="Awesome IAM"> </a> </p> <p align="center"> <a href="https://github.com/kdeldycke/awesome-iam#readme" hreflang="en"><img src="https://img.shields.io/badge/lang-English-blue?style=flat-square" lang="en" alt="English"></a> <a href="https://github.com/kdeldycke/awesome-iam/blob/main/readme.zh.md" hreflang="zh"><img src="https://img.shields.io/badge/lang-汉语-blue?style=flat-square" lang="zh" alt="汉语"></a> </p> <p align="center"> ^{This list is <a href="#sponsor-def">sponsored<sup id="sponsor-ref">[0]}</a> by:</sup><br> </p> <p align="center"> <a href="https://www.descope.com/?utm_source=awesome-iam&utm_medium=referral&utm_campaign=awesome-iam-oss-sponsorship"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/kdeldycke/awesome-iam/main/assets/descope-logo-dark-background.svg"> <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/kdeldycke/awesome-iam/main/assets/descope-logo-light-background.svg"> <img width="300" src="https://raw.githubusercontent.com/kdeldycke/awesome-iam/main/assets/descope-logo-light-background.svg"> </picture> <br/> <strong>Drag and drop your auth.</strong><br/> Add authentication, user management, and authorization to your app with a few lines of code. </a> <!-- Comment this sponsorship call-to-action if there is a sponsor logo to increase its impact. --> <!-- <a href="https://github.com/sponsors/kdeldycke"> <strong>Yᴏᴜʀ Iᴅᴇɴᴛɪᴛʏ & Aᴜᴛʜᴇɴᴛɪᴄᴀᴛɪᴏɴ Pʀᴏᴅᴜᴄᴛ ʜᴇʀᴇ!</strong> <br/> ^{Add a link to your company or project here: back me up via a GitHub sponsorship.} </a> --> </p>

---

<p align="center"> <i>Trusting is hard. Knowing who to trust, even harder.</i><br> — Maria V. Snyder<sup id="intro-quote-ref"><a href="#intro-quote-def">[1]</a></sup> </p> <!--lint disable double-link-->

IAM stands for Identity and Access Management. It is a complex domain which covers user accounts, authentication, authorization, roles, permissions and privacy. It is an essential pillar of the cloud stack, where users, products and security meets. The other pillar being billing & payments 💰.

This curated list expose all the technologies, protocols and jargon of the domain in a comprehensive and actionable manner.

<!--lint enable double-link-->

Contents

<!-- mdformat-toc start --slug=github --no-anchors --maxlevel=6 --minlevel=2 -->

• Overview
• Security
• Account Management
• Cryptography
  • Identifiers
• Zero-trust Network
• Authentication
• Password-based auth
• Multi-factor auth
  • SMS-based
• Password-less auth
  • WebAuthn
  • Security key
  • Public-Key Infrastructure (PKI)
  • JWT
• Authorization
  • Policy models
  • Open-source policy frameworks
  • AWS policy tools
  • Macaroons
• OAuth2 & OpenID
• SAML
• Secret Management
  • Hardware Security Module (HSM)
• Trust & Safety
  • User Identity
  • Fraud
  • Moderation
  • Threat Intelligence
  • Captcha
• Blocklists
  • Hostnames and Subdomains
  • Emails
  • Reserved IDs
  • Profanity
• Privacy
  • Anonymization
  • GDPR
• UX/UI
• Competitive Analysis
• History

<!-- mdformat-toc end -->

Overview

<img align="right" width="50%" src="./assets/cloud-software-stack-iam.jpg"/>

In a Stanford class providing an overview of cloud computing, the software architecture of the platform is described as in the right diagram →

Here we set out the big picture: definition and strategic importance of the domain, its place in the larger ecosystem, plus some critical features.

• The EnterpriseReady SaaS Feature Guides - The majority of the features making B2B users happy will be implemented by the IAM perimeter.

• IAM is hard. It's really hard. - “Overly permissive AWS IAM policies that allowed s3:GetObject to * (all) resources”, led to $80 million fine for Capital One. The only reason why you can't overlook IAM as a business owner.

• IAM Is The Real Cloud Lock-In - A little click-baity, but author admit that “It depends on how much you trust them to 1. Stay in business; 2. Not jack up your prices; 3. Not deprecate services out from under you; 4. Provide more value to you in business acceleration than they take away in flexibility.”

Security

Security is one of the most central pillar of IAM foundations. Here are some broad concepts.

• Enterprise Information Security - Mozilla's security and access guidelines.

• Mitigating Cloud Vulnerabilities - “This document divides cloud vulnerabilities into four classes (misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities)”.

• Cartography - A Neo4J-based tool to map out dependencies and relationships between services and resources. Supports AWS, GCP, GSuite, Okta and GitHub.

• Open guide to AWS Security and IAM

Account Management

The foundation of IAM: the definition and life-cycle of users, groups, roles and permissions.

• As a user, I want… - A meta-critic of account management, in which features expected by the business clash with real user needs, in the form of user stories written by a fictional project manager.

• Things end users care about but programmers don't - In the same spirit as above, but broader: all the little things we overlook as developers but users really care about. In the top of that list lies account-centric features, diverse integration and import/export tools. I.e. all the enterprise customers needs to cover.

• Separate the account, user and login/auth details - Sound advice to lay down the foundation of a future-proof IAM API.

• Identity Beyond Usernames - On the concept of usernames as identifiers, and the complexities introduced when unicode characters meets uniqueness requirements.

• Kratos - User login, user registration, 2FA and profile management.

• Conjur - Automatically secures secrets used by privileged users and machine identities.

• SuperTokens - Open-source project for login and session management which supports passwordless, social login, email and phone logins.

• UserFrosting - Modern PHP user login and management framework.

Cryptography

The whole authentication stack is based on cryptography primitives. This can't be overlooked.

• Cryptographic Right Answers - An up to date set of recommendations for developers who are not cryptography engineers. There's even a shorter summary available.

• Real World Crypto Symposium - Aims to bring together cryptography researchers with developers, focusing on uses in real-world environments such as the Internet, the cloud, and embedded devices.

• An Overview of Cryptography - “This paper has two major purposes. The first is to define some of the terms and concepts behind basic cryptographic methods, and to offer a way to compare the myriad cryptographic schemes in use today. The second is to provide some real examples of cryptography in use today.”

• Papers we love: Cryptography - Foundational papers of cryptography.

• Lifetimes of cryptographic hash functions - “If you are using compare-by-hash to generate addresses for data that can be supplied by malicious users, you should have a plan to migrate to a new hash every few years”.

Identifiers

Tokens, primary keys, UUIDs, … Whatever the end use, you'll have to generate these numbers with some randomness and uniqueness properties.

• Security Recommendations for Any Device that Depends on Randomly-Generated Numbers - “The phrase ‘random number generator’ should be parsed as follows: It is a random generator of numbers. It is not a generator of random numbers.”

• RFC #4122: UUID - Security Considerations - “Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access)”. UUIDs are designed to be unique, not to be random or unpredictable: do not use UUIDs as a secret.

• Awesome Identifiers - A benchmark of all identifier formats.

• Awesome GUID - Funny take on the global aspect of unique identifiers.

Zero-trust Network

Zero trust network security operates under the principle “never trust, always verify”.

• BeyondCorp: A New Approach to Enterprise Security - Quick overview of Google's Zero-trust Network initiative.

• What is BeyondCorp? What is Identity-Aware Proxy? - More companies add extra layers of VPNs, firewalls, restrictions and constraints, resulting in a terrible experience and a slight security gain. There's a better way.

• oathkeeper - Identity & Access Proxy and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP requests. Inspired by the BeyondCorp / Zero Trust white paper.

• transcend - BeyondCorp-inspired Access Proxy server.

• Pomerium - An identity-aware proxy that enables secure access to internal applications.

Authentication

Protocols and technologies to verify that you are who you pretend to be.

• API Tokens: A Tedious Survey - An overview and comparison of all token-based authentication schemes for end-user APIs.

• A Child's Garden of Inter-Service Authentication Schemes - In the same spirit as above, but this time at the service level.

• Scaling backend authentication at Facebook - How-to in a nutshell: 1. Small root of trust; 2. TLS isn't enough; 3. Certificate-based tokens; 4. Crypto Auth Tokens (CATs). See the slides for more details.

Password-based auth

The oldest scheme for auth.

• The new NIST password guidance - A summary of NIST Special Publication 800-63B covering new password complexity guidelines.

• Password Storage Cheat Sheet - The only way to slow down offline attacks is by carefully choosing hash algorithms that are as resource intensive as possible.

• Password expiration is dead - Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists and MFA.

• Practical Recommendations for Stronger, More Usable Passwords - This study recommend the association of: blocklist checks against commonly leaked passwords, password policies without character-class requirements, minimum-strength policies.

• Banks, Arbitrary Password Restrictions and Why They Don't Matter - “Arbitrary low limits on length and character composition are bad. They look bad, they lead to negative speculation about security posture and they break tools like password managers.”

• Dumb Password Rules - Shaming sites with dumb password rules.

• Plain Text Offenders - Public shaming of websites storing passwords in plain text.

• Password Manager Resources - A collection of password rules, change URLs and quirks by sites.

• A Well-Known URL for Changing Passwords - Specification defining site resource for password updates.

• How to change the hashing scheme of already hashed user's passwords - Good news: you're not stuck with a legacy password saving scheme. Here is a trick to transparently upgrade to stronger hashing algorithm.

Multi-factor auth

Building upon password-only auth, users are requested in these schemes to present two or more pieces of evidence (or factors).

• Breaking Password Dependencies: Challenges in the Final Mile at Microsoft - The primary source of account hacks is password spraying (on legacy auth like SMTP, IMAP, POP, etc.), second is replay attack. Takeaway: password are insecure, use and enforce MFA.

• Beyond Passwords: 2FA, U2F and Google Advanced Protection - An excellent walk-trough over all these technologies.

• A Comparative Long-Term Study of Fallback Authentication - Key take-away: “schemes based on email and SMS are more usable. Mechanisms based on designated trustees and personal knowledge questions, on the other hand, fall short, both in terms of convenience and efficiency.”

• [Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at