anvilresearch

A modern authorization server built with Node.js to authenticate your users and protect your APIs

##Overview We're [Anvil Research](http://anvil.io), a scrappy team of developers working with a growing open source community to bring sophisticated identity and access management infrastructure within reach for every developer and every project, large or small. To make this possible, we've created [Anvil Connect](https://github.com/anvilresearch/connect), a modern authorization server built to authenticate your users and protect your APIs. Anvil Connect is based on the latest open standards used by Google, Facebook, Microsoft, and countless others. It works with any programming language or framework that talks HTTP over SSL. Best of all, it's 100% free and open source. Here's what our users are saying: >“A true open source initiate with no separate enterprise version, simple one click deployment with docker or through custom cli built by the team. The best solution out there if you’re looking for a self hosted solution for your identity management. With a very friendly and active community supporting the project with regular releases.” - Adi C. >“I really like simplicity of it all. It's been easy to use and the team is committed to a secure implementation. My favorite part about Anvil Connect, is how committed the team is to making an awesome product. Whenever I've had a question or an issue, the team has instantly jumped in to help! They're a great bunch of people working on an awesome product!” - Tyler L. ##Why Should You Support Us? Identity and access management present challenges shared by virtually all developers in today’s world. And as developers, we’re used to compromising, because it’s just too hard to get it right when there’s pressure to ship. With authentication and authorization being foundational to everything else we build, that’s not an acceptable tradeoff for organizations or their users. At Anvil Research, we’re committed to making advanced identity and access management software easy and accessible, and we want to share what we make with everyone. No strings attached. That’s why we need your help. To keep auth free for everyone, we need sustainable funding. Here’s how your contribution can help us in 2015. For every $500/month goal we reach, we can achieve an additional 20hrs/month of development time to help us reach our primary goals for Q4: 100% OIDC interoperability, refactoring, completion of the REST API, new CLI, and documentation, improved client libraries and an awesome devops experience. And with that support, we will get to our stable 0.2.0 release.. Of course, if we don’t make our goals we’ll still keep rocking! It will just take us longer. #Want to know more? Dive in deeper below: ##How it works Anvil Connect is an [OpenID Connect](http://openid.net/connect/) provider. Not to be confused with OpenID 2.0, OpenID Connect is the latest standard for federated identity, finalized in 2014. It builds on OAuth 2.0 and adds strong authentication features like signed tokens, as well as game changing ideas like dynamic registration. Our auth server acts as a special purpose database for user identity and permissions, and it's flexible so you can authenticate users any way you want. Out of the box, you can sign in users with a growing number of OAuth 1.0 and 2.0 providers, OpenID 2.0, LDAP, Active Directory, and local passwords with email verification and account recovery. It's easy to extend your auth server to work with additional providers and protocols. Anvil Connect is compatible with virtually any existing Passport strategy, or you can write your own custom authentication code. Because Anvil Connect is inherently an OAuth 2.0 provider, you can use it to issue access tokens for protecting your APIs. The server creates signed JSON Web Tokens (JWT) that can be verified at your API endpoints using public keys. That means a round trip request to the auth server isn't necessary (although you can make one if you really want to). JWT verification takes place in nanoseconds rather than the tens (or even hundreds) of milliseconds required for a network request. And these tokens carry a payload of embedded data you can use to make authorization decisions on the spot. Anvil Connect provides fine-grained authorization using Role-based Access Control. Permissions are defined as OAuth 2.0 scopes, which can be assigned to roles. You can create your own roles and scopes, and assign them to users and apps. Most important, Anvil Connect is a standalone auth server, not a library or framework. ##Why would anyone want to use an auth server? Using an auth server gives you control over your user data. It saves you time writing complex and repetitive auth code. But libraries can do this too. An auth server goes far beyond any library by laying the groundwork for an architecture you can grow with. Gone are the days of compromising on auth while you're building an MVP and then rewriting everything from scratch when it's time to scale. You can start simple and build out an ecosystem of apps and services without ever having to worry about the details of how to share user accounts between them, or how to publish an OAuth API. Done right, an auth server connects lots of different apps and services together in a seamless and secure way. If you plan on making more than one app or backend service, authenticating users in a variety of ways, sharing API data with other developers, being an identity provider, or connecting your users to lots of different third party APIs, it's a no-brainer. ##There are so many options for auth. What makes us different? When we started working on Anvil Connect in mid-2013, there were few options within reach. Proprietary identity software was too expensive. There were many open source packages, but none of them covered everything we needed. Those that came close were really hard to use, weren't actively maintained, or had convoluted dual license schemes. Many IDaaS platforms that have sprung up in the last two years tend to become very pricey as you grow in numbers of users and apps. But the real deal killer for us? Even though they're implementing open standards, their backend code isn't open source. If the company behind the platform pivots, fails, or gets acquired and shut down, our business would be jeopardized since all our other software would be dependent on that service. To us, that seemed like a risky proposition. Our ideal auth server had to be: - Free and open source - Standard and interoperable - Platform neutral - Cloud ready - Contributor-friendly - Driven by user input and collaboration - Accessible under the hood - Fast to get up and running - Carefully thought out - Comprehensive in scope - Actively maintained Building a one-off solution is just too difficult and costly. It's harder than it looks, and you have to maintain it. We wanted auth to be a solved problem, right from the start of any project. So we rolled up our sleeves and got to work. ##Vision Anvil Connect is already used in production around the world, and this is only the beginning. We aim to handle all the complexities of authentication and authorization so you can get on with building your ideas. Setting up an auth service should be as fast and simple as getting a database server up and running. But there's more to the story than making it easy. The world has only seen a glimpse of the potential for federated identity. We want to pave the way for a proliferation of identity providers that can spontaneously work together to build webs of trust. With Anvil Connect, every domain that needs user authentication can be an IdP. While we're at it, we see a number of opportunities to use Anvil Connect as a springboard for solving even harder problems in the realms of privacy, security, and online trust. We're dreaming up game changing uses for existing technologies like public key infrastructure and thinking deeply about new frontiers like blockchain and IoT. Beyond our own project, we believe critical infrastructure in general must be open source. It's better for security, better for users, better for developers, and better for business. We're committed to that ideal. ##Plan Over the next few months we want to incorporate an important set of potentially breaking changes that improve the usability, design, and maintainability of Anvil Connect. Like all software projects, we know a lot more now than when we started. We’ve been taking stock of lessons learned and we’re busy refactoring to reflect a deeper understanding of how to build an auth server. We want to do this right now, before we move on to adding more features. In addition, our next few sprints will include a push toward 100% interoperability with the OpenID Connect family of specifications. Anvil Connect already implements the majority of OIDC, and we’re on the path to certification. Our end of year goal is to ship 0.2.0, which will be a stable branch. By doing this, we can deliver bug fixes and security patches separately from new features with breaking changes. This is hugely important for users already in production. Looking ahead to 2016, we plan to break ground on an ambitious set of new features including invitations, attribute-based access control, multi-factor authentication, API access brokering, provider discovery, additional built-in authentication methods like SAML, and a comprehensive web/mobile admin user interface. These are aimed at giving Anvil Connect users new opportunities, more choices and greater ease of use.