A long road up to boruta

18 February 2023

From scratch, going through to create a product

A long story happened while moving up to a product. Starting from zero, I used my skills and knowledge to not only implement but learn how to build an authorization server. To achieve creating a full blown Identity and Access Management solution, The open source story of boruta began and gone From a library to a product. To do so in the best pace, I launched myself as an independent worker, that said it is Still not a living.

boruta logo

See me on GitHub

Starting from zero

Back then, I was working for a consultancy company and had knowledge about APIs and API security. I also wanted to shift my career to Elixir, a functional language that powered the according pardigm, and was amazed by the power of Erlang OTP. The best way to learn a language is to build something with it, thus I started boruta as a patchwork solution of existing libraries.

It was also a time where I started to read the RFCs from the IETF to better know the OAuth 2.0 original specification. My solution did not met my needs, I started to have a RFC first approach and implemented piece by piece the specification.

The open source story of boruta

Once the OAuth 2.0 specification roughly implemented, I remember someone asking if the hybrid grant from OpenID Connect was implemented. It was not but I was keen to know much about this one and started to also read and implement that specification from the OpenID Foundation. Few weeks later, I had the first real user of the library and a working software.

Time passed, and with the will to go on with the product, I came to the Erlang Ecosystem Foundation to have a piece of advice to work further on it. Their insights conduct me to pass a certification from the OpenID Foundation, first for the library, the existing users could benefit from this. Few weeks later, the implementation was certified thanks to a stipend accorded to the project by the OpenID Foundation.

oidf watermark

My career gave me time to work full-time on the boruta server for a few months, it allows me to draft a first open bĂȘta release under the Apache 2.0 license. One of the first actions to give trust to the server was to also get certified, something that came with the release.

Along with the library and the server, I also open sourced a client written in Typescript and an example server that helped to pass the certification. I plan to also open source the documentation that is a work in progress. I still remember that without the open-source community, I would not have been so far and give the more back being rigorous on the maintenance of all those components for the developers to be happy using them.

From a library to a product

Once certified for the library, I took the time to get a full blown product that could act as an Identity and Accedd Management solution. On top of the core managing authorization business rules, I built a server that could both authorize and authenticate but also apply access control rules along with an administration interface that help to configure the whole.

boruta components

The authentication part is not covered by the OAuth 2.0 and OpenID Connect specifications, thus, I created, departing from phx.gen.auth, an identity provider that came from a full rewrite of the generated files. I applied the hexagonal architecture principles to have a modular and evolutive solution. I plan to implement further authentication business rules like Multi-Factor Authentication and other advancements in the field like Self-Sovereign Identity at a long term pace.

After authorization and authentication, I wanted to have means to apply access control rules. The best way to do this is by implementing a gateway that have the abilities of a side car to add more than authorization to the requests, the introspection of identity traits of the current user to the requests.

Last, all the aspects of the server are configurable both through an User Interface but also through an API that is exposed following OAuth 2.0 authorization rules. Those administration capabilities are meant to be the most exhaustive and fine grained.

Still not a living

The product born, I wanted to find more time to make it grow and gave a try to work as an independent. I was able to offer consulting and delivery services making it quite a living, that said, living from open-source is not an easy path. I am still wondering how to find a business model that would help me to earn money in accordance with my values. If you have any clues, just shout a message.

Providing values to the community around the product is something I work on. With a code of conduct inherited from code covenant, I would like to leverage ethical goals like fighting against slavery and forced labour, empowering human rights, or Diversity, Equity and Inclusion. Work In Progress.

malachit logo

Thank you reading me so far.

With care,

Loom videos

On the road, I recorded loom videos to explain from part to part how the server works, happy watching!

Installation


OAuth clients


Identity providers, backends, and users


(micro) gateway