Vaultara - Enterprise Identity and Access Management

Vaultara is an enterprise-grade Identity and Access Management (IAM) platform built in Rust. It serves as a modern, high-performance alternative to Keycloak, providing comprehensive authentication and authorization capabilities.

Features

🔐 Authentication

OAuth 2.0 / OpenID Connect - Full compliance with OAuth 2.0 and OIDC specifications
Multiple Grant Types - Authorization Code, Client Credentials, Password, Refresh Token
PKCE Support - Proof Key for Code Exchange for enhanced security
Token Management - Access tokens, refresh tokens, and ID tokens with configurable lifetimes

👥 User Management

Multi-tenant Architecture - Complete tenant/realm isolation
User Profiles - Comprehensive user profile management
Account Security - Password policies, account lockout, failed login tracking
MFA Ready - Infrastructure for TOTP, SMS, Email, and WebAuthn

🎯 Authorization

Role-Based Access Control (RBAC) - Flexible role assignment
Permission Management - Fine-grained permissions with resource:action model
Group Management - Hierarchical group structure with role inheritance
Attribute-Based Access Control (ABAC) - Condition-based permissions (coming soon)

📋 Audit & Compliance

Complete Audit Trail - Immutable audit logs for all operations
Entity Versioning - Full history of all entity changes
Soft Deletes - Data is never lost, only marked as deleted

🔑 OAuth Client Management

Client Registration - Programmatic and manual client creation
Secret Management - Secure client secret generation and rotation
Scope Configuration - Customizable scopes per client
Redirect URI Validation - Strict redirect URI enforcement

🔄 Session Management

Session Tracking - Track all active user sessions
Session Revocation - Revoke individual or all user sessions
Session Metadata - IP address, user agent tracking

🔐 Security

JWT Key Rotation - Automatic key rotation support
Password Hashing - Argon2id password hashing
CORS Configuration - Configurable cross-origin support
Rate Limiting - Built-in rate limiting (configurable)

Quick Start

Prerequisites

Rust 1.91 or later
PostgreSQL 17 or later
Docker (optional, for development)

Running with Docker Compose

# Start PostgreSQL
docker-compose up -d postgres

# Run migrations and start the server
cargo run

Manual Setup

Set up PostgreSQL:
```
createdb vaultara
```

Configure environment:

cp .env.example .env
# Edit .env with your configuration

Run the application:
```
cargo run
```
Access the API:
- Health Check: http://localhost:8080/health
- OpenID Configuration: http://localhost:8080/.well-known/openid-configuration
- API Base: http://localhost:8080/api/v1

Configuration

All configuration is done via environment variables:

Variable	Description	Default
`SERVER_HOST`	Server bind address	`0.0.0.0`
`SERVER_PORT`	Server port	`8080`
`EXTERNAL_URL`	Public-facing URL	`http://localhost:8080`
`DATABASE_URL`	PostgreSQL connection string	-
`DATABASE_MAX_CONNECTIONS`	Max DB connections	`10`
`JWT_SECRET`	Secret for JWT signing	-
`JWT_ISSUER`	JWT issuer claim	Same as EXTERNAL_URL
`ACCESS_TOKEN_LIFETIME`	Access token lifetime (seconds)	`3600`
`REFRESH_TOKEN_LIFETIME`	Refresh token lifetime (seconds)	`86400`

API Documentation

Endpoints

OIDC Discovery

GET /.well-known/openid-configuration - OpenID Connect discovery
GET /.well-known/jwks.json - JSON Web Key Set

OAuth2

GET /oauth/authorize - Authorization endpoint
POST /oauth/token - Token endpoint
POST /oauth/revoke - Token revocation
POST /oauth/introspect - Token introspection
GET /oauth/userinfo - UserInfo endpoint

Tenants

GET /api/v1/tenants - List tenants
POST /api/v1/tenants - Create tenant
GET /api/v1/tenants/:id - Get tenant
PUT /api/v1/tenants/:id - Update tenant
DELETE /api/v1/tenants/:id - Delete tenant

Users

GET /api/v1/tenants/:tenant_id/users - List users
POST /api/v1/tenants/:tenant_id/users - Create user
GET /api/v1/tenants/:tenant_id/users/:id - Get user
PUT /api/v1/tenants/:tenant_id/users/:id - Update user
DELETE /api/v1/tenants/:tenant_id/users/:id - Delete user
GET /api/v1/tenants/:tenant_id/users/:id/roles - Get user roles
POST /api/v1/tenants/:tenant_id/users/:id/roles - Assign role
DELETE /api/v1/tenants/:tenant_id/users/:id/roles/:role_id - Remove role

Roles

GET /api/v1/tenants/:tenant_id/roles - List roles
POST /api/v1/tenants/:tenant_id/roles - Create role
GET /api/v1/tenants/:tenant_id/roles/:id - Get role
PUT /api/v1/tenants/:tenant_id/roles/:id - Update role
DELETE /api/v1/tenants/:tenant_id/roles/:id - Delete role
GET /api/v1/tenants/:tenant_id/roles/:id/permissions - Get role permissions
POST /api/v1/tenants/:tenant_id/roles/:id/permissions - Assign permission
DELETE /api/v1/tenants/:tenant_id/roles/:id/permissions/:perm_id - Remove permission

Permissions

GET /api/v1/tenants/:tenant_id/permissions - List permissions
POST /api/v1/tenants/:tenant_id/permissions - Create permission
GET /api/v1/tenants/:tenant_id/permissions/:id - Get permission
PUT /api/v1/tenants/:tenant_id/permissions/:id - Update permission
DELETE /api/v1/tenants/:tenant_id/permissions/:id - Delete permission

Groups

GET /api/v1/tenants/:tenant_id/groups - List groups
POST /api/v1/tenants/:tenant_id/groups - Create group
GET /api/v1/tenants/:tenant_id/groups/:id - Get group
PUT /api/v1/tenants/:tenant_id/groups/:id - Update group
DELETE /api/v1/tenants/:tenant_id/groups/:id - Delete group
GET /api/v1/tenants/:tenant_id/groups/:id/members - Get group members
GET /api/v1/tenants/:tenant_id/groups/:id/roles - Get group roles

OAuth Clients

GET /api/v1/tenants/:tenant_id/clients - List clients
POST /api/v1/tenants/:tenant_id/clients - Create client
GET /api/v1/tenants/:tenant_id/clients/:id - Get client
PUT /api/v1/tenants/:tenant_id/clients/:id - Update client
DELETE /api/v1/tenants/:tenant_id/clients/:id - Delete client
POST /api/v1/tenants/:tenant_id/clients/:id/secret - Regenerate secret

Sessions

GET /api/v1/tenants/:tenant_id/sessions - List sessions
DELETE /api/v1/tenants/:tenant_id/sessions/:id - Revoke session
GET /api/v1/tenants/:tenant_id/users/:user_id/sessions - Get user sessions
DELETE /api/v1/tenants/:tenant_id/users/:user_id/sessions - Revoke all user sessions

Audit Logs

GET /api/v1/tenants/:tenant_id/audit-logs - List audit logs
GET /api/v1/tenants/:tenant_id/audit-logs/:id - Get audit log entry

JWT Keys

GET /api/v1/tenants/:tenant_id/keys - List JWT keys
POST /api/v1/tenants/:tenant_id/keys/rotate - Rotate keys

Setup (Beta)

GET /setup/check - Check if setup is required
GET /setup/status - Get installation details
POST /setup - Perform initial setup

Licenses (Beta)

GET /api/v1/tenants/:tenant_id/license - Get license
POST /api/v1/tenants/:tenant_id/license - Create/update license
GET /api/v1/tenants/:tenant_id/license/limits/:resource - Check limits
GET /api/v1/tenants/:tenant_id/license/features/:feature - Check feature
POST /api/v1/admin/licenses/generate - Generate license key

Identity Providers (Beta)

GET /api/v1/tenants/:tenant_id/identity-providers - List providers
POST /api/v1/tenants/:tenant_id/identity-providers - Create provider
GET /api/v1/tenants/:tenant_id/identity-providers/:id - Get provider
GET /api/v1/tenants/:tenant_id/identity-providers/login - Get login providers
GET /api/v1/tenants/:tenant_id/identity-providers/:id/authorize - Get auth URL
GET /api/v1/tenants/:tenant_id/groups/:id/login-providers - Get group providers

Global Sessions (Beta)

POST /api/v1/sessions/global - Create global session
GET /api/v1/sessions/global/:token - Validate session
DELETE /api/v1/sessions/global/:token - End session
POST /api/v1/sessions/global/:token/transfer - Create transfer token
POST /api/v1/sessions/transfer/redeem - Redeem transfer token
GET /api/v1/sessions/global/me - Get my sessions
DELETE /api/v1/sessions/global/me/all - End all my sessions

MFA (Beta)

POST /api/v1/mfa/totp/setup - Setup TOTP
POST /api/v1/mfa/totp/verify - Verify TOTP setup
POST /api/v1/mfa/totp/:user_id/verify - Verify TOTP code
DELETE /api/v1/mfa/totp/disable - Disable TOTP
GET /api/v1/mfa/webauthn/credentials - Get WebAuthn credentials
POST /api/v1/mfa/webauthn/register/begin - Begin registration
DELETE /api/v1/mfa/webauthn/credentials/:id - Delete credential

Auth Flows (Beta)

POST /api/v1/tenants/:tenant_id/auth/password-reset - Request reset
GET /api/v1/auth/password-reset/:token/validate - Validate token
POST /api/v1/auth/password-reset/complete - Complete reset
POST /api/v1/tenants/:tenant_id/users/:id/verify-email - Resend verification
POST /api/v1/auth/verify-email - Verify email

ABAC Policies (Beta)

GET /api/v1/tenants/:tenant_id/policies - List policies
POST /api/v1/tenants/:tenant_id/policies - Create policy
GET /api/v1/tenants/:tenant_id/policies/:id - Get policy
POST /api/v1/tenants/:tenant_id/policies/evaluate - Evaluate policies
GET /api/v1/tenants/:tenant_id/users/:id/check-access - Quick check

Architecture

┌─────────────────────────────────────────────────────────────────┐
│                          Vaultara                                │
├─────────────────────────────────────────────────────────────────┤
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────────┐  │
│  │   API Layer │  │  Middleware │  │  Extractors             │  │
│  │   (Axum)    │  │  (Auth,CORS)│  │  (Auth, Pagination)     │  │
│  └──────┬──────┘  └──────┬──────┘  └───────────┬─────────────┘  │
│         │                │                     │                 │
│  ┌──────▼────────────────▼─────────────────────▼──────────────┐ │
│  │                    Domain Layer                             │ │
│  │  ┌───────────┐  ┌───────────┐  ┌───────────┐               │ │
│  │  │ Entities  │  │ Services  │  │Repositories│               │ │
│  │  └───────────┘  └───────────┘  └───────────┘               │ │
│  └────────────────────────┬───────────────────────────────────┘ │
│                           │                                      │
│  ┌────────────────────────▼───────────────────────────────────┐ │
│  │                 Infrastructure Layer                        │ │
│  │  ┌───────────┐  ┌───────────┐  ┌───────────┐               │ │
│  │  │ Database  │  │  Config   │  │ Security  │               │ │
│  │  │  (sqlx)   │  │           │  │  (JWT)    │               │ │
│  │  └───────────┘  └───────────┘  └───────────┘               │ │
│  └────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
                              │
                    ┌─────────▼─────────┐
                    │    PostgreSQL     │
                    └───────────────────┘

Database Schema

The database schema includes:

tenants - Multi-tenant support with branding and configuration
users - User accounts with profile and authentication data
roles - Role definitions with composite role support
permissions - Fine-grained permissions with resource:action model
groups - Hierarchical groups with path-based queries
oauth_clients - OAuth2 client applications
sessions - Active user sessions
refresh_tokens - Refresh token storage with rotation detection
authorization_codes - OAuth2 authorization codes
jwt_keys - Key rotation support
audit_logs - Immutable audit trail
entity_history - Version history for all entities

Development

Project Structure

vaultara/
├── Cargo.toml
├── migrations/           # Database migrations
├── src/
│   ├── api/              # HTTP handlers and routing
│   │   ├── handlers/     # Request handlers
│   │   ├── extractors/   # Request extractors
│   │   └── middleware/   # HTTP middleware
│   ├── domain/           # Business logic
│   │   ├── entities/     # Domain entities
│   │   ├── services/     # Domain services
│   │   └── repositories/ # Repository interfaces
│   ├── dto/              # Data transfer objects
│   │   ├── request/      # Request DTOs
│   │   └── response/     # Response DTOs
│   ├── infrastructure/   # External services
│   │   ├── config/       # Configuration
│   │   ├── database/     # Database layer
│   │   └── security/     # Security utilities
│   ├── lib.rs
│   └── main.rs
└── docs/                 # Documentation

Running Tests

cargo test

Building for Production

cargo build --release

Roadmap

MVP

Beta (Current)

GA

Beta Features

License System

Vaultara includes a flexible license system similar to n8n's open-source model:

Free Tier: 10 users, 5 groups, 3 OAuth clients
Starter Tier: 50 users, 20 groups, 10 clients, MFA support
Professional Tier: 500 users, SSO, WebAuthn, custom branding
Enterprise Tier: Unlimited, all features including SAML
Founder Tier: Unlimited, with special bypass access

Cross-Domain Session Sharing

Sessions can be shared across different domains using Vaultara's centralized session service:

POST /api/v1/sessions/global                    # Create global session
GET  /api/v1/sessions/global/:token             # Validate session
POST /api/v1/sessions/global/:token/transfer    # Create transfer token
POST /api/v1/sessions/transfer/redeem           # Redeem transfer on new domain

Identity Providers

Support for external identity providers with group-based restrictions:

GET  /api/v1/tenants/:id/identity-providers     # List providers
POST /api/v1/tenants/:id/identity-providers     # Create provider
GET  /api/v1/tenants/:id/groups/:id/login-providers  # Get allowed providers for group

First-Time Setup

Instead of automatic tenant creation, the setup flow is handled via API:

GET  /setup/check   # Check if setup is required
GET  /setup/status  # Get installation status
POST /setup         # Perform initial setup with tenant, admin user, and license

ABAC Policy Engine

Advanced attribute-based access control with Rego-like conditions:

{
  "name": "manager-access",
  "effect": "allow",
  "resource_pattern": "users:*",
  "actions": ["read", "update"],
  "conditions": {
    "subject.role": {"in": ["admin", "manager"]},
    "context.time": {"between": ["09:00", "17:00"]},
    "context.ip": {"in_cidr": ["10.0.0.0/8"]}
  }
}

Contributing

Contributions are welcome! Please read our contributing guidelines before submitting a pull request.

License

This project is dual-licensed under either:

MIT License (LICENSE-MIT or http://opensource.org/licenses/MIT)
Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)

at your option.

Name		Name	Last commit message	Last commit date
Latest commit History 31 Commits
docs		docs
migrations		migrations
src		src
.env.example		.env.example
.gitignore		.gitignore
Cargo.lock		Cargo.lock
Cargo.toml		Cargo.toml
Dockerfile		Dockerfile
README.md		README.md
docker-compose.yml		docker-compose.yml

RustLangES/vaultara

Folders and files

Latest commit

History

Repository files navigation