Skip to content

sgrastar/authrim

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

663 Commits
.github
.github
 
 
docs
docs
 
 
load-testing
load-testing
 
 
migrations
migrations
 
 
packages
packages
 
 
scripts
scripts
 
 
test-e2e
test-e2e
 
 
test
test
 
 
.deepsource.toml
.deepsource.toml
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.npmrc
.npmrc
 
 
.prettierignore
.prettierignore
 
 
.prettierrc
.prettierrc
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
TRANSLATION_STATUS.md
TRANSLATION_STATUS.md
 
 
eslint.config.js
eslint.config.js
 
 
lighthouserc.json
lighthouserc.json
 
 
package.json
package.json
 
 
playwright.config.ts
playwright.config.ts
 
 
pnpm-lock.yaml
pnpm-lock.yaml
 
 
pnpm-workspace.yaml
pnpm-workspace.yaml
 
 
tsconfig.base.json
tsconfig.base.json
 
 
tsconfig.json
tsconfig.json
 
 
turbo.json
turbo.json
 
 
vitest.config.ts
vitest.config.ts
 
 

Repository files navigation

Authrim

Open Source Identity & Access Platform for the modern web

An open-source, serverless Identity Hub that combines authentication, authorization, and identity federation on Cloudflare's global edge network.

Open Source TypeScript Cloudflare Workers

OpenID Certified OpenID Provider (7 profiles)
Logout Profiles (4 profiles)

⚠️ Pre-1.0 Software

Authrim is functional but pre-1.0. APIs may change, and no formal security audit has been completed yet. Evaluate thoroughly before production use.

Vision

Authrim is a unified Identity & Access Platform combining:

  • Authentication — OIDC Provider, Social Login, Passkey, SAML
  • Authorization — RBAC, ABAC, ReBAC policy engine built-in
  • Identity Federation — Multiple identity sources into one unified identity

Built for edge deployment with <50ms latency worldwide.

npx @authrim/setup

Read the full vision

Quick Start

Option 1: Using @authrim/setup (Recommended)

# Interactive setup with Web UI
npx @authrim/setup

# Or CLI mode for terminal-based setup
npx @authrim/setup --cli

The setup wizard will guide you through:

  • Cloudflare authentication
  • Resource provisioning (D1, KV, Queues)
  • Key generation
  • Worker deployment
  • Initial admin creation

Option 2: Manual Setup (Development)

# 1. Clone and install
git clone https://github.com/sgrastar/authrim.git
cd authrim && pnpm install

# 2. Setup (generates keys, configures local environment)
./scripts/setup-keys.sh
./scripts/setup-local-wrangler.sh
./scripts/setup-kv.sh --env=dev
./scripts/setup-d1.sh

# 3. Run locally
pnpm run dev
# → http://localhost:8787/.well-known/openid-configuration

📚 Full guides: Development | Deployment | Testing | Setup CLI

Performance

K6 Cloud distributed load testing (December 2025) demonstrated zero-error operation across all endpoints within capacity limits.

Token operations sustain 2,500–3,500 RPS,
full 5-step OAuth login flows handle 150 logins/sec (P95 756ms),
and token validation maintains 100% accuracy even under peak load.

CPU time stays constant at 1–4ms —
horizontal scaling via Durable Object sharding is the proven strategy.

Authrim scales horizontally by design.
In practice, capacity can be increased by adjusting a single scaling parameter —
globally, without migrations or downtime.

View detailed reports

Approximate Cloudflare Cost (Reference Only)

⚠️ The following table is a rough reference only.
Actual costs depend on request volume, CPU time, and usage of KV / D1 / R2.

Product Scale Users (Total) Est. CF Cost Notes
Side project / Portfolio ~1K Free Workers Free tier (limited requests)
Internal tool / Small community ~10K ~$5/mo Paid plan base
Startup SaaS / Small e-commerce ~50K ~$5–15/mo Light API usage
Growing B2B SaaS ~100K ~$15–30/mo Moderate auth traffic
Mid-size consumer app ~500K ~$30–60/mo KV/DO costs accumulate
Enterprise SaaS ~1M ~$60–120/mo Cached / sharded
High-traffic consumer service ~5M ~$150–300/mo Heavy auth traffic
Large-scale platform ~10M ~$300–600/mo 150 login/sec tested

Assumptions

  • Workers Paid plan ($5/month)
  • Optimized request patterns (caching, batching)
  • Typical authentication flows (OIDC, token refresh)
  • Excludes large R2 storage and excessive KV/D1 writes
  • Assumes ~20% DAU with weekly logins
  • Authrim scales primarily with requests and CPU time, not with user count

Verified by Load Testing (Dec 2025)

Metric Value Cost
Workers Requests 18M/month $5.70 (7%)
KV Reads 78M/month $39.00 (44%)
DO Requests + Duration 64M/month $22.10 (25%)
D1 Writes 6.8M rows $7.00 (8%)
Base fee $5.00 (6%)
Total (excl. tax) ≈ 5M users equiv. $79.78

Request-to-User conversion:

  • 1 OIDC login ≈ 4 requests (authorize → token → userinfo → discovery)
  • 18M requests ≈ 4.5M logins/month
  • With 20% DAU and weekly login assumption → ~5M total users equivalent

Infrastructure cost only (self-hosted). No vendor fees. See Cloudflare pricing for details.

Current Status

Phase Name Timeline Status
1-5 Foundation, Core API, UI/UX 2025-11 ✅ Complete
6 Enterprise Features 2025-12 ✅ Complete
7 Identity Hub Foundation 2025-12 ✅ Complete
8 Unified Policy Integration 2025-12 ✅ Complete
9 Advanced Identity (VC/DID) 2025-12 ✅ Complete
10 SDK & API 2025-Q4 🔜 Planned
11 Security & QA 2025-Q4 ⏳ ~30%
12 Certification & Release 2026-Q1 🔜 Final

View detailed roadmap

Technical Stack

Backend (API)

Layer Technology Version Purpose
Runtime Cloudflare Workers - Global edge deployment
Framework Hono 4.x Fast, lightweight web framework
Build Turborepo + pnpm 9.x Monorepo, parallel builds, caching
Storage KV / D1 / Durable Objects - Flexible data persistence
Crypto JOSE 6.x JWT/JWS/JWE/JWK (RS256, ES256)
WebAuthn SimpleWebAuthn 13.x Passkey authentication
SAML xmldom + pako - SAML 2.0 XML processing
Email Resend 6.x Magic Link, OTP delivery
Testing Vitest 2.x Unit & integration tests

Frontend (UI)

Layer Technology Version Purpose
Framework SvelteKit + Svelte 2.x / 5.x Modern reactive framework
Deployment Cloudflare Pages - Global CDN
CSS UnoCSS 66.x Utility-first CSS
Components Melt UI 0.86.x Headless, accessible
i18n typesafe-i18n 5.x Type-safe internationalization
WebAuthn SimpleWebAuthn Browser 13.x Client-side passkey support
Testing Vitest + Testing Library 4.x Component & E2E tests

Features

Feature Status Test Result / Note
OpenID Provider
Basic OP ✅ Done View Result
Implicit OP ✅ Done View Result
Hybrid OP ✅ Done View Result
Config OP (Discovery / JWKS) ✅ Done View Result
Dynamic OP ✅ Done code, id_token
id_token token, code id_token
code token, code id_token token
Form Post OP ✅ Done Basic, Implicit, Hybrid
3rd Party-Init OP ✅ Done code, id_token
id_token token, code id_token
code token, code id_token token
Authorization Code Flow + PKCE ✅ Done
OpenID Provider Logout Profiles
RP-Initiated OP ✅ Done code, id_token
id_token token, code id_token
code token, code id_token token
Session OP ✅ Done code, id_token
id_token token, code id_token
code token, code id_token token
Front-Channel OP ✅ Done code, id_token
id_token token, code id_token
code token, code id_token token
Back-Channel OP ✅ Done code, id_token
id_token token, code id_token
code token, code id_token token
OpenID Relying Parties
Basic RP ✅ Done
Config RP (Discovery / JWKS) ✅ Done
Form Post RP ✅ Done
Front-Channel RP Not Supported
Hybrid RP Not Supported
Dynamic RP Not Supported
3rd Party-Init RP Not Supported
OpenID Relying Parties Logout Profiles
Back-Channel RP ✅ Done
RP-Initiated RP Not Supported
Session RP Not Supported
Front-Channel RP Not Supported
Advanced Security
PAR (RFC 9126) ✅ Done
DPoP (RFC 9449) ✅ Done
JAR (RFC 9101) ✅ Done
JARM ✅ Done
JWE (RFC 7516) ✅ Done
Pairwise Subject Identifiers ✅ Done
NIST SP 800-63-4 (AAL/FAL/IAL) ✅ Done Assurance Levels
Token Management
JWT Signing (RS256) + Key Rotation ✅ Done
Refresh Token Rotation ✅ Done
Token Introspection (RFC 7662) ✅ Done
Token Revocation (RFC 7009) ✅ Done
Token Exchange (RFC 8693) ✅ Done
ID-JAG (draft-ietf-oauth-identity-assertion-authz-grant) ✅ Done AI Agent認可
Client Credentials (RFC 6749 §4.4) ✅ Done
Dynamic Client Registration (RFC 7591) ✅ Done
Authentication
WebAuthn / Passkey ✅ Done
Email OTP ✅ Done
Device Flow (RFC 8628) ✅ Done
CIBA ✅ Done
JWT Bearer (RFC 7523) ✅ Done
Identity Hub
Social Login (7 providers) ✅ Done
Identity Linking ✅ Done
PII/Non-PII Separation ✅ Done
Authorization
RBAC / ABAC / ReBAC ✅ Done
Real-time Check API ✅ Done
WebSocket Push ✅ Done
Verifiable Credentials
OpenID4VP ✅ Done
OpenID4VCI ✅ Done
DID (did:web, did:key) ✅ Done
Enterprise
SCIM 2.0 (RFC 7643/7644) ✅ Done
SAML 2.0 IdP/SP ✅ Done
Admin Dashboard ✅ Done
Multi-language (EN/JA) ✅ Done
Tooling
Setup CLI (@authrim/setup) ✅ Done Documentation
Roadmap
WebSDK Planned
Not Supported
MTLS (RFC 8705)
AD / LDAP

Note: All "Done" features are implemented and have unit tests. Integration testing and OpenID conformance certification are in progress.

Not Supported: MTLS is not available due to Cloudflare Workers TLS termination at edge. AD/LDAP requires TCP sockets not supported in Workers runtime. Use SAML/OIDC federation or SCIM provisioning as alternatives.

Contributing

Authrim is open source under Apache 2.0, currently maintained by a single author.

License

Apache License 2.0 © 2025 Yuta Hoshina

See LICENSE for details.

Community

AuthrimIdentity & Access at the edge of everywhere

Status: Phase 6 ✅ | Phase 7 ✅ | Phase 8 ✅ | Phase 9 ✅ | Phase 10 🚧 | Phase 11 ~30%

From zero to production-ready Identity & Access Platform in under 5 minutes.

npx @authrim/setup

About

✨ Authrim — OpenID Certified™ open-source edge-native OIDC Provider for modern serverless runtimes

authrim.com

Topics

identity oauth2 authentication serverless authorization cloudflare openid-connect oidc serverless-applications edge-computing passkey authrim

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing

Security policy

Security policy
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages