Sontonio - IAM
Delightfully simple web essentials for SMBs
In open development. Not yet ready. Aiming for a basic version by end of January 2024.
# Context
Happy New Year. It's 2024 and open source IAM still sucks for SMBs.
We call those reasons: **JECK**
## JECK, the 4 IAM no-nos
- JSON Web Tokens are used because they feel ergonomic for Javascript development. However, JWT's are [insecure](https://pragmaticwebsecurity.com/articles/apisecurity/hard-parts-of-jwt.html) for session storage.
- Enterprise-focused features because that's where the big money is.
- Complex to implement because of too many features you don't use and terrible documentation.
- Kludgeware is the final result. The software feels *icky* because if you try to please everyone, you end up delighting no one.
# Why Another IAM Library?
- Existing solutions go way beyond the essential problem complexity for simple SAAS web applications.
- It's an interesting learning experience. Security is not simple and feedback is welcome. [Disclose vulnerabilities responsibly](https://github.com/KevinFocke/sontonio-iam/security/advisories?state=Triage).
# Security
- [70% of all serious security bugs are memory safety problems.](https://www.chromium.org/Home/chromium-security/memory-safety/) That's why we strictly enforce memory-safe Rust throughout our code.
- Decrease your attack surface by only shipping the features you actually use.
- No features with new (un)known risks. Eg. JWT for sessions, [SMS verification](https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/?guccounter=1).
## Core
- Delightfully simple setup & deployment.
- Multi-factor authentication (OTP + Hardware Key)
- Allow users to reset their own passwords.
- Location-based storage (For GDPR).
- Cookie-based session storage.
- Audit log.
# FAQ
Q: Why no social login?
A: In short, because it's a mess. OAuth (Open Authorization) gets misused as an Authentication method and the responses from OAuth providers lack standardization. OIDC (OpenID Connect) further builds on top of OAuth and uses insecure JWT with their new (un)known risks.
# License
Licensed under [MIT](LICENSE)
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the [License](LICENSE), shall be licensed as above, without any additional terms or conditions.