Anvil Connect

We're building a modern authorization server to authenticate your users and protect your APIs.

Simplified Security

• Share user accounts between multiple apps and services with Single Sign-On (shared sessions)
• Issue signed JSON Web Tokens to protect your APIs
• Be a federated identity provider with OpenID Connect
• Enable third-party developers using two- and three-legged OAuth 2.0

Flexible User Authentication

• Use local passwords, OAuth 1.0, OAuth 2.0, OpenID, SAML 2.0, LDAP, Active Directory, and more
• Works out of the box with Google, Facebook, Twitter, GitHub, and a growing list of providers
• Custom schemes using virtually any existing Passport.js strategy or your own code

Make it yours

• Brand the interface with your own design
• Use middleware hooks for domain specific implementations
• Keep your changes under version control without forking

Standard, Interoperable, and Open Source

• Language and platform agnostic
• Implements widely accepted, well-understood protocols
• MIT license

Getting Started

• Getting started guide
• Documentation
• References

Development

We are a growing community of contributors of all kinds, join us!

Chat on Gitter or Slack

Come say hello on Gitter or Slack! We love talking shop with Anvil Connect users :)

Weekly Community Meetings

Every Thursday at 9AM PDT / 12PM EDT / 4PM GMT we get together to map out the future of the project, talk through specs, review code, and help each other ship. You're welcome to join in.

Pair Programming

We often pair on more challening or new code, hop into Gitter or Slack and join us, or request your own session.

Need more engagement?

Support and consulting also available, contact us via the website or by email

Status

• Used in production since July 2014
• Active development as of March 2015

MIT License

Copyright (c) 2015 Anvil Research, Inc.

Change Log

0.1.59 (2016-01-09)

Full Changelog

Implemented enhancements:

• Reuse previous user consent when reauthorizing a third party client #26

Fixed bugs:

• connect-redis - ERR wrong number of arguments for 'set' command #298

Closed issues:

• Will you accept a PR updating the Dependencies? #300
• Getting connect up and running on OS X #294
• npm install on OS X with node 0.12 failing #287
• Coverage data for the Travis build? #274

Merged pull requests:

• Extract ensureWritableDirectory to fs-utils #308 (bauglir)
• Return array of strings from authorizedScope #307 (bauglir)
• Add endpoints for manipulating client roles #306 (bauglir)
• Ensure writable logs folder on boot #305 (bauglir)
• UserInfo update #303 (christiansmith)
• udpate dependencies #301 (nelsonic)
• feat(authorize): reuse existing consent with third party client #299 (EternalDeiwos)
• Specifying 'query' response_mode still resulted in fragmented (#) response. #297 (tonyevans)
• eslint to ignore public vendor scripts. #295 (henrjk)
• Improve coveralls in travis build #293 (henrjk)
• Add coveralls.io to build #290 (christiansmith)
• feat(logger): replace bucker with bunyan #282 (anth1y)

0.1.58 (2015-10-22)

Full Changelog

0.1.57 (2015-10-21)

Full Changelog

Implemented enhancements:

• Expose coverage script as an npm script #272
• Node version check #235
• SAML Protocol #137
• Split CLI to separate repo and communicate w/server via REST API #44
• Use Travis CI #247 (vsimonian)
• Implement SAML 2.0 protocol support #245 (vsimonian)

Fixed bugs:

• Make from field validation regex more flexible #255 (vsimonian)

Closed issues:

• Issuer Config - response_modes_supported is empty array #264
• Issuer Config - response_types_supported includes none #263
• Ready for production? #261
• Suggestion: mention the use of git in the readme for dependencies #234

Merged pull requests:

• Remove nv binary reference #279 (bauglir)
• refactor(cli): nuke deprecated CLI #278 (christiansmith)
• Adding coverage script to package.json #273 (EternalDeiwos)
• adding coverage to gitignore #271 (henrjk)
• adding basic coverage for istanbul #270 (henrjk)
• Repair broken this reference in authorizedScope() #269 (christiansmith)
• Include sub claim in userinfo response #267 (christiansmith)
• Update anvil-connect-jwt dependency #262 (christiansmith)
• Add jti claim to Client Token #250 (christiansmith)
• Requesting claims using scope values #248 (christiansmith)
• Create separate section for code style guidelines #243 (vsimonian)
• Migrations #240 (christiansmith)
• Link to getting started guide in connect-docs #239 (vsimonian)
• Added Bountysource link and text #238 (Cynfusion)
• Remove unused dependencies #237 (vsimonian)
• Added version check to server.js #236 (msamblanet)

0.1.56 (2015-09-17)

Full Changelog

Implemented enhancements:

• SSL and secure cookies in production #90

Merged pull requests:

• Use anvil-connect-keys package #229 (christiansmith)
• Change type of client "trusted" property to boolean #228 (christiansmith)

0.1.55 (2015-09-10)

Full Changelog

Implemented enhancements:

• Improve error-handling and display #224 (vsimonian)
• Create first time setup endpoint #223 (vsimonian)

Fixed bugs:

• Fix tests for error-handling middleware #226 (vsimonian)

Closed issues:

• Strip leading/trailing whitespace from JSON inputs. #220

Merged pull requests:

• Namespace user-by-provider index #227 (vsimonian)
• Use Modinha trim property for client redirect_uris #225 (vsimonian)
• Trim whitespace around redirect URIs #221 (vsimonian)
• Use GitHub Changelog Generator #219 (vsimonian)

0.1.54 (2015-09-04)

Full Changelog

Implemented enhancements:

• Enforce client grant_types #96
• Enforce client response_types #95

Fixed bugs:

• Fix handling of optional options parameter in Passport shim #218 (vsimonian)

Merged pull requests:

• Enforce client grant_types and response_types #217 (vsimonian)

0.1.53 (2015-09-03)

Full Changelog

Implemented enhancements:

• Validate client does not use both jwks and jwks\_uri #98
• Validate client application_type #97
• Support response_type "none" #55
• Validate client application_type #214 (vsimonian)
• Validate that jwks and jwks_uri are not used together #212 (vsimonian)
• Support none response_type and fix response_type handling #211 (vsimonian)

Fixed bugs:

• Always verify redirect_uri before issuing redirect #216 (vsimonian)
• Validate new redirect_uris instead of original values #215 (vsimonian)
• Support none response\type and fix response\type handling #211 (vsimonian)

Merged pull requests:

• Use lx-valid validation hooks for jwks and jwks_uri #213 (vsimonian)

0.1.52 (2015-09-01)

Full Changelog

Fixed bugs:

• Guard against undefined sessions #209 (vsimonian)

0.1.51 (2015-08-31)

Full Changelog

Implemented enhancements:

• Rename key pair files #200
• Make "daysToCrack" password strength property configurable from password provider #189
• Key pair generation #187
• E-mail verification token TTL should be configurable #175
• OIDC Sessions #138
• Separate key pairs for signing and encryption #5
• feat(email): configurable email verification token ttl #206 (christiansmith)
• feat(boot): generate token-signing keypair if missing on boot #197 (christiansmith)

Fixed bugs:

• Allow overriding provider-specific amr and refresh_userinfo options with falsy values #191
• Enable email templates to be overridden #190
• Stub client reg type setting for client reg tests #201 (vsimonian)
• fix(oidc): set amr values consistently #195 (christiansmith)
• Allow overriding amr and refresh_userinfo values with falsy values #194 (vsimonian)
• Allow e-mail templates to be overridden #193 (vsimonian)

Closed issues:

• De-nest config/keys directory #198
• Eliminate repetitive code in signin, signup, and signout #143

Merged pull requests:

• Remove passport dependency #205 (vsimonian)
• Rename RSA key pair files and add separate encryption key pair #204 (christiansmith)
• refactor(keys): de-nest config/keys directory #199 (christiansmith)
• feat(settings): configurable "daysToCrack" for password provider #196 (christiansmith)

0.1.50 (2015-08-23)

Full Changelog

Implemented enhancements:

• sentinel support and ioredis #125
• Code Conventions, Formatters, and Linting #116
• Use ioredis #188 (vsimonian)

Merged pull requests:

• Use Javascript Standard Style #184 (vsimonian)

0.1.49 (2015-08-21)

Full Changelog

Implemented enhancements:

• Configurable refresh of user claims upon call to userinfo #181
• Support amr claim. #136
• Password reset #20

0.1.48 (2015-08-20)

Full Changelog

0.1.47 (2015-08-18)

Full Changelog

Implemented enhancements:

• Use built in views unless project directory contains custom views #165
• Allow views to be overridden individually. #179 (christiansmith)

Fixed bugs:

• Fix intermittently failing tests #178 (vsimonian)

0.1.46 (2015-08-18)

Full Changelog

Implemented enhancements:

• Create mechanism for generic expiring tokens #168
• E-mail verification tokens should expire #167
• Support expiring, single-use tokens #171 (vsimonian)

Fixed bugs:

• Ensure database always has default entries #172 (vsimonian)

Merged pull requests:

• Refactor email verification to use new OneTimeToken model #174 (christiansmith)
• Fix one time token #173 (vsimonian)

0.1.45 (2015-08-14)

Full Changelog

Fixed bugs:

• Set jwks to array of keys instead of single object #161 (vsimonian)

0.1.44 (2015-08-14)

Full Changelog

Merged pull requests:

• Use pem-jwk instead of ursa to convert public key to JWK #156 (vsimonian)

0.1.43 (2015-08-12)

Full Changelog

Implemented enhancements:

• Boot time database init to deprecate nv migrate #128
• Containerized Deployment #121
• LDAP protocol #120
• Throw error for unreachable Redis instance #39
• E-mail verification #21
• Add LDAP support #144 (vsimonian)
• Initialize database during boot. #142 (christiansmith)
• E-mail verification support #123 (vsimonian)

Closed issues:

• Slack vs. Gitter #122
• Standard OAuth2 protocol require error #74
• cli help #34

Merged pull requests:

• Support OIDC amr claim in id_tokens #141 (christiansmith)
• Reject auth requests with mismatching referrer #135 (vsimonian)
• Clarified setup instructions #134 (Cynfusion)
• style and content revisions #133 (Cynfusion)
• Updates to content and style of ReadMe #132 (Cynfusion)
• Add error message for invalid providers during sign-in #117 (vsimonian)

0.1.42 (2015-07-01)

Full Changelog

Merged pull requests:

• Various bugfixes and style adjustments #110 (vsimonian)
• Fix callback function name #109 (vsimonian)
• Update to match express v4 API #108 (vsimonian)
• Add Active Directory support #107 (vsimonian)
• fix(routes): Pass next to passport.authenticate #106 (vsimonian)
• feat(fields): Generate sign in form for providers with defined fields #105 (vsimonian)
• Add provider templating for boot-time inheritance #104 (vsimonian)

0.1.41 (2015-06-29)

Full Changelog

Implemented enhancements:

• Error display for nv init deployment and other commands #31
• Make password signin optional #25

Closed issues:

• Reduce/minimize size of dependencies #72
• Throw error for malformed JSON in config file #38

Merged pull requests:

• Update to match express v4 API #103 (vsimonian)
• Fix broken git URL #101 (vsimonian)

0.1.40 (2015-06-20)

Full Changelog

0.1.39 (2015-06-09)

Full Changelog

Implemented enhancements:

• Generating a CHANGELOG #66

Closed issues:

• anvil.io 'docs' link in footer points to anvil.io, docs aren't on the site #94
• Cannot GET / - what to do after installation #93

Merged pull requests:

• Deployment #92 (tomkersten)

0.1.38 (2015-05-19)

Full Changelog

0.1.37 (2015-05-18)

Full Changelog

Closed issues:

• Anvil incompatible with Node 0.12.x #91
• Empty user name after normal registration. #87

Merged pull requests:

• Change the names for form fields "first name" and "last name", to match the mapping in User model. #88 (ovi-tamasan-3pg)
• dev dependencies update #86 (adi-ads)
• don't add password as a icon in views #84 (adi-ads)
• update faker #83 (adi-ads)

0.1.36 (2015-04-20)

Full Changelog

0.1.35 (2015-04-08)

Full Changelog

Merged pull requests:

• Support optional nonce for auth code flow #82 (adi-ads)
• update faker package name to lowercase #81 (adi-ads)

0.1.34 (2015-04-08)

Full Changelog

0.1.33 (2015-04-07)

Full Changelog

0.1.32 (2015-04-07)

Full Changelog

Closed issues:

• Cannot run nv init #77
• Does anvil-connect server work via https? #76

Merged pull requests:

• update modinha version #79 (adi-ads)
• app default config update #78 (adi-ads)

0.1.31 (2015-04-05)

Full Changelog

0.1.30 (2015-04-05)

Full Changelog

0.1.29 (2015-04-02)

Full Changelog

Closed issues:

• nv migrate fails #73

0.1.28 (2015-03-14)

Full Changelog

0.1.27 (2015-03-10)

Full Changelog

Implemented enhancements:

• Authorization flow #1

Fixed bugs:

• Authorization flow #1

Closed issues:

• mongodb support #69
• Storing Provider Auth + UserInfo Responses with Anvil user object #63

Merged pull requests:

• protocol/OpenID.js works against master #71 (nrhope)
• Add a Gitter chat badge to README.md #70 (gitter-badger)
• fix ID Token expiry delta (was undefined so token expired immediately) #60 (nrhope)
• tweaks to get server talking to external Java (mitreid) and passport-openid clients #59 (nrhope)
• Renamed function #58 (tomkersten)

0.1.26 (2014-10-28)

Full Changelog

Implemented enhancements:

• JWK set URI #19

0.1.25 (2014-10-22)

Full Changelog

0.1.24 (2014-10-20)

Full Changelog

Implemented enhancements:

• JWT Access Tokens #15
• Hybrid Authorization Flow #8
• Multiple response types #6

Merged pull requests:

• Fixed revoke argument parsing indice mistake #56 (tomkersten)

0.1.23 (2014-08-04)

Full Changelog

0.1.22 (2014-07-25)

Full Changelog

Closed issues:

• Configurable token expiration #50
• "Requires login" prompt? #45

0.1.21 (2014-06-27)

Full Changelog

0.1.20 (2014-06-27)

Full Changelog

0.1.19 (2014-06-26)

Full Changelog

Merged pull requests:

• Added some basic styling to views #43 (petebot)

0.1.18 (2014-06-19)

Full Changelog

Fixed bugs:

• nv-commands fail without env variables set #41

Closed issues:

• Rewrite nv init db #42

0.1.17 (2014-06-16)

Full Changelog

0.1.16 (2014-06-16)

Full Changelog

0.1.15 (2014-06-12)

Full Changelog

0.1.14 (2014-06-12)

Full Changelog

0.1.13 (2014-06-12)

Full Changelog

0.1.12 (2014-06-12)

Full Changelog

Implemented enhancements:

• Keyfiles #2

0.1.11 (2014-06-10)

Full Changelog

0.1.10 (2014-06-10)

Full Changelog

0.1.9 (2014-06-09)

Full Changelog

0.1.8 (2014-06-09)

Full Changelog

Implemented enhancements:

• Logging #27

Fixed bugs:

• .gitignore on nv init deployment #29

Closed issues:

• cli usage #33
• cli version #32

0.1.7 (2014-06-04)

Full Changelog

Implemented enhancements:

• Support global install for nv cli #30

0.1.6 (2014-06-04)

Full Changelog

Merged pull requests:

• Add public/.gitkeep so 'public' dir is in repo #28 (tomkersten)

0.1.5 (2014-06-04)

Full Changelog

0.1.4 (2014-06-04)

Full Changelog

0.1.3 (2014-06-03)

Full Changelog

0.1.2 (2014-06-03)

Full Changelog

0.1.1 (2014-06-03)

Full Changelog

Implemented enhancements:

• Node Cluster #17
• Static assets #4
• Project/deployment generator #3

0.1.0 (2014-05-30)

* This Change Log was automatically generated by github_changelog_generator