Skip to content

franzos/forseti

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

76 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

Forseti

Forseti

The web UI Ory doesn't ship. Every self-service identity flow for Ory Kratos and Ory Hydra β€” login, registration, recovery, MFA, OAuth2 consent β€” plus an admin console, in a single server-rendered binary.

CI Release OpenSSF Scorecard License: AGPL v3 Container

Ory's engines are excellent, but headless β€” you get APIs, your users need pages. Forseti is the missing frontend: one binary that talks to Kratos (identity) and Hydra (OAuth2/OIDC) and gives your users real screens for every flow, plus an admin surface for operators.

Why Forseti

Because it's backed by software the giants scale with β€” OpenAI self-hosts Ory Hydra to issue tokens for ChatGPT β€” so your auth load rides on the most battle-tested engine in this space, not on Forseti itself. And it doesn't lock you in: Ory is the contract, Forseti is just the face. You can move to Ory Network (their cloud) later, or build your own frontend against the same Kratos and Hydra APIs and swap it in. That makes Forseti a low-risk stepping stone β€” and, since it's fully themeable, a fine permanent answer if it's all you ever need.

Self-service dashboard App template picker Account settings

What you get

πŸ” Every Kratos flow, server-rendered Login, registration, recovery, verification, and the full settings hub β€” profile, password, MFA/TOTP, passkeys, social logins, active sessions.
πŸͺͺ OAuth2 / OIDC bridge Login, consent, and logout screens for Hydra's authorization-code flow β€” turn Forseti into a drop-in OIDC provider for your own apps.
🧩 40+ app templates One-click, pre-filled OAuth2 client setup for popular self-hosted apps (GitLab, Nextcloud, Vaultwarden, Grafana, Immich, …) β€” redirect URIs and per-app OIDC quirks already filled in. Full list β†’
πŸ› οΈ Admin console Manage identities, sessions, and OAuth2 clients; append-only audit log; live status dashboard; dynamic-client-registration tokens.
🏒 Organizations Multi-tenant orgs with members, invites, per-org theming (brand colours, a preset, and an uploaded logo β€” the authenticated app is white-labelled by the active org), and per-org OIDC claims. Each org runs internal (invite-only) or external β€” a public self-serve signup page at /o/{slug} β€” plus optional email-domain auto-join for workforce orgs.
πŸ“Š Observability (licensed) Prometheus /metrics on the internal listener, token-gated: HTTP request counts and latency plus a couple of bridged operational gauges. Setup β†’
🐧 Linux host auth (preview) Back your Linux logins off the identity store: NSS passwd/group + per-user SSH-key distribution, interactive ssh/console login via the OAuth Device Authorization Grant (RFC 8628), and offline passphrase login when the server's unreachable. Setup β†’
🌍 Nine languages UI translated into English, German, French, Spanish, Italian, Portuguese, Russian, Thai, and Arabic (RTL-aware), including Kratos's own error messages. A footer switcher sets the language; otherwise it follows the browser's Accept-Language.
πŸŒ— Light & dark A built-in theme toggle (light / dark / follow-system) across every page.
πŸ›‘οΈ Production-minded CSRF on every form, signed cookies, rate-limited DCR, and an account-deletion webhook saga with retries.

Organization claims over OIDC

Forseti can fold the caller's org membership into the ID token and userinfo, so a connected app does tenant-aware access control without a second API call. Three opt-in scopes cover different needs; grant a client any combination (each still needs the user's consent, and only shows up when requested):

Scope Claim shape Covers Standardized? Reach for it when
groups Flat array of team slugs The active org's teams De-facto (widely implemented) Wiring a third-party app (ArgoCD, Grafana, Harbor, Proxmox, …) that maps a groups claim to its own roles
org One object: active org + your role The active org Forseti-specific An app that only cares about the currently-selected tenant
orgs Array of {id, slug, role, name} Every org you belong to Forseti-specific A multi-tenant app (e.g. Stackpit) that renders an org switcher and enforces per-org roles

groups is the portable path: it's in no RFC, but enough apps read a groups claim that it's become the lingua franca for role mapping, which is why the app templates use it. org/orgs are richer and self-describing (they carry the role explicitly) but only an app written against Forseti's shape can consume them. No off-the-shelf IdP emits orgs, and no generic app reads it.

One thing to keep in mind: groups reflects the active org only, while orgs spans all memberships, so for a multi-tenant app the two can look like they disagree. That's by design, not a bug.

OSS vs commercial

OSS (unlicensed) Commercial (licensed)
Identity portal Full self-service portal, single default org Same, plus named orgs beyond Default
Enterprise SAML SSO Unavailable Per-org connections at /sso/{org-slug}
Linux (POSIX) auth accounts Up to the free seat cap Higher seat cap
Observability Unavailable Prometheus /metrics on the internal listener, token-gated
Health checks, JSON logs Full Full

See Commercial features for the licensing model, the grace period on expiry, and full detail on each feature.

How Forseti compares

Here's the thing: Forseti isn't another from-scratch identity engine. Rauthy, Kanidm, Keycloak and FreeIPA each implement their own protocol stack and their own datastore β€” they are the engine. Forseti is the part Ory never shipped: a server-rendered UI, an admin console, multi-tenant orgs, and governance, sitting in front of Ory Kratos and Ory Hydra β€” engines that are already OpenID-certified and battle-tested in production. So the comparison below is a little apples-to-oranges, and that's rather the point.

Legend: βœ“ built-in Β· ◐ partial / via add-on / consumes-not-serves Β· βœ— no Β· † commercial license

Forseti Rauthy Kanidm Keycloak FreeIPA
What it is UI + governance layer on Ory Standalone OIDC provider Passkey-first IdM Full IAM server Linux/Unix domain IdM
Language Rust (Axum) Rust Rust Java / Quarkus (JVM) C + Python
OIDC / OAuth2 provider βœ“ (Hydra) βœ“ βœ“ βœ“ ◐ inbound only
SAML 2.0 βœ“ † βœ— βœ— βœ“ ◐ via Keycloak
TOTP + passkeys/WebAuthn βœ“ (AAL2-enforced) ◐ passkey-first βœ“ (passkey attestation) βœ“ βœ“ (+ smartcard)
Multi-org / tenancy βœ“ † βœ— βœ— βœ“ realms + orgs βœ—
Upstream IdP brokering / social login βœ“ (Kratos) βœ“ βœ— by design βœ“ ◐ device-grant
LDAP / RADIUS / Unix (POSIX) hosts ◐ POSIX/PAM Β² ◐ PAM/NSS βœ“ ◐ federation βœ“ (core)
Admin console (web) βœ“ βœ“ ◐ CLI-first βœ“ βœ“
End-user self-service UI βœ“ (the whole point) βœ“ βœ“ βœ“ ◐ limited
Datastore SQLite / PostgresΒΉ Embedded (Hiqlite) / Postgres Own embedded DB External RDBMS 389 DS (LDAP)
Footprint Binary + Ory services Single binary (~50 MB) Single binary JVM, ~0.75–2 GB RAM Heavy, Linux/RPM only
License AGPL-3.0 + commercial gate Apache-2.0 MPL-2.0 Apache-2.0 GPLv3
Maturity Young; built on mature Ory Pre-1.0, audited Stable 1.x Very mature (CNCF/Red Hat) Very mature (Red Hat)

ΒΉ Forseti's own data. Kratos and Hydra each bring their own Postgres, so a full deployment runs several services β€” more moving parts than a single-binary Rauthy or Kanidm. † Organizations, SAML SSO, and the Prometheus /metrics endpoint are commercial features; the AGPL core runs as a fully working single tenant. SCIM, SIEM streaming and bulk-admin are on the roadmap, not shipped. Β² Linux host auth (POSIX accounts, NSS, SSH-key distribution, PAM device-auth + offline login) ships as a preview β€” it backs POSIX hosts, but it's not an LDAP/RADIUS/Kerberos directory.

Where Forseti wins. If you've already bet on Ory β€” or you want a certified OAuth2/OIDC engine rather than a bespoke one β€” nothing else gives Kratos and Hydra real screens and an admin console and first-class multi-tenant organizations (members, invites, per-org branding, org/orgs OIDC claims). Rauthy, Kanidm and FreeIPA have no organizations model at all; only Keycloak does, and it costs you a JVM and a couple of gigs of RAM. You also get governance the others don't bundle: an append-only audit log, RFC 7591 dynamic client registration, and an account-deletion webhook saga that emits signed RISC events.

Where it doesn't. Forseti is not a full directory. It now can back Linux logins β€” POSIX accounts, SSH-key distribution, and interactive PAM login for a fleet of hosts (a preview feature) β€” but if you need an LDAP server, RADIUS, or Kerberos, that's still Kanidm or FreeIPA territory, not this. If you want the absolute smallest footprint and a single self-contained binary with no Ory alongside, Rauthy or Kanidm will be lighter to run. And if you need the full enterprise kitchen sink β€” UMA, fine-grained authz, every protocol under one roof β€” Keycloak still does more, at the cost of operating Keycloak. Do take the table with a grain of salt: these projects move, and the facts here are current as of mid-2026.

Quickstart

Prebuilt binaries for x86_64 and aarch64 Linux (glibc) are attached to every release:

# binary + the static/ assets it serves
curl -L -o forseti.tar.gz https://github.com/franzos/forseti/releases/latest/download/forseti-x86_64-unknown-linux-gnu.tar.gz
tar -xzf forseti.tar.gz
cd forseti-x86_64-unknown-linux-gnu
cp config.example.toml config.toml   # then edit it
./forseti

Or pull the container image from the GitHub Container Registry:

podman pull ghcr.io/franzos/forseti:latest
podman run --rm -p 3000:3000 \
  -v ./config.toml:/app/config.toml:ro \
  ghcr.io/franzos/forseti:latest

Both need a reachable Kratos and Hydra β€” see the operator guide. The binary reads ./config.toml (override with FORSETI_CONFIG_PATH) and serves ./static relative to its working directory.

Runtime note: the binary links dynamically against libpq (the Postgres client). On a bare host install libpq5 (Debian/Ubuntu) or libpq (most other distros); the container image already includes it. SQLite is bundled, so it needs nothing extra.

Status

Pre-release / active development. Core flows work end-to-end against the Ory playground; APIs, config, and schema are still moving. Pin a commit if you build on it.

Build from source

# 1. Bring up the playground (Kratos, Hydra, Mailcrab, Postgres)
make stack-up

# 2. Seed a deterministic admin (password + TOTP)
make seed-admin

# 3. Run Forseti (debug build) at :3000
make run

Open http://localhost:3000. Register at /registration, grab the verification email from Mailcrab at http://127.0.0.1:4436, and you're in.

For the full OAuth2 dance β€” register a Hydra client, run an auth-code flow, exchange a token β€” see .claude/skills/ory-up/SKILL.md or the integration guide.

How it fits together

      Browser
         |
         v
+------------------+        admin (server-only)
|     Forseti      | --------------------------------+
|   Rust / Axum    |                                 |
|       :3000      | --+                             |
+------------------+   |                             |
         |             |                             |
         | browser     | browser                     |
         |             |                             v
   +------------+ +------------+             | Kratos admin   |
   |  Kratos    | |   Hydra    |             | Hydra admin    |
   |  public    | |  public    |             | (internal only)|
   +------------+ +------------+             +-----------------+
         |             |
         +------+------+
                |
                v
         +--------------+
         |  Database    |
         | Postgres /   |
         |   SQLite     |
         +--------------+

Documentation

License

Forseti is dual-licensed:

  • AGPL-3.0 for the open-source core (everything outside src/commercial/)
  • Commercial license for paid features in src/commercial/

Built on Ory Kratos and Ory Hydra.


Forseti β€” named for the Norse god of justice and reconciliation.

About

A self-service UI and OAuth2 login/consent/logout bridge for Ory Kratos + Ory Hydra

Topics

Resources

License

AGPL-3.0, Unknown licenses found

Licenses found

AGPL-3.0
LICENSE
Unknown
LICENSE-COMMERCIAL

Contributing

Security policy

Stars

1 star

Watchers

0 watching

Forks

Packages

 
 
 

Contributors