A long road up to boruta

From scratch, going through to create a product

A long story happened while moving up to an identity and access management solution. Starting from zero, I used my skills and knowledge to not only implement but learn how to build an authorization server. To achieve creating a full-blown product, the open-source story of boruta began and went from a library to a product. To do so at the best pace, I launched myself as an independent worker, that said it is still not a living.

See me on GitHub

Starting from zero

Back then, I was working for a consultancy company and had knowledge about APIs and API security. I also wanted to shift my career to Elixir, a functional language that powered the according paradigm and was amazed by the power of Erlang OTP. The best way to learn a language is to build something with it, thus I started boruta as a patchwork solution of existing libraries.

It was also a time when I started to read the RFCs from the IETF to better know the OAuth 2.0 original specification. My solution did not meet my needs, I started to have an RFC-first approach and implemented piece by piece the specification.

The open-source story of boruta

Once the OAuth 2.0 specification was roughly implemented, I remember someone asking if the hybrid grant from OpenID Connect was implemented. It was not but I was keen to know much about this one and started to also read and implement that specification from the OpenID Foundation. A few weeks later, I had the first real user of the library and working software.

Time passed, and with the will to go on with the product, I came to the Erlang Ecosystem Foundation to have a piece of advice to work further on it. Their insights conduct me to pass certification from the OpenID Foundation, first, for the library, the existing users could benefit from this. A few weeks later, the implementation was certified thanks to a stipend granted to the project by the OpenID Foundation.

My career gave me time to work full-time on the boruta server for a few months, which allows me to draft a first open bêta release under the Apache 2.0 license. One of the first actions to give trust to the server was to also get certified, something that came with the release.

Along with the library and the server, I also open-sourced a client written in Typescript and an example server that helped to pass the certification. I plan to also open source the documentation that is a work in progress. I still remember that without the open-source community, I would not have been so far and give the more back by being rigorous in the maintenance of all those components for the developers to be happy using them.

From a library to a product

Once certified for the library, I took the time to get a full-blown product that could act as an Identity and Access Management solution. On top of the core managing authorization business rules, I built a server that could both authorize and authenticate but also apply access control rules along with an administration interface that help to configure the whole.

The authentication part is not covered by the OAuth 2.0 and OpenID Connect specifications, thus, I created, departing from phx.gen.auth, an identity provider that came from a full rewrite of the generated files. I applied the hexagonal architecture principles to have a modular and evolutive solution. I plan to implement further authentication business rules like Multi-Factor Authentication and other advancements in the field like Self-Sovereign Identity at a long-term pace.

After authorization and authentication, I wanted to have means to apply access control rules. The best way to do this is by implementing a gateway that has the abilities of a sidecar to add more than authorization to the requests, the introspection of identity traits of the current user to them.

Last, all the aspects of the server are configurable both through a User Interface but also through an API that is exposed following OAuth 2.0 authorization rules. Those administration capabilities are meant to be the most exhaustive and fine-grained.

Still not a living

The product born, I wanted to find more time to make it grow and gave a try to work as an independent. I was able to offer consulting and delivery services making it quite a living, that said, living from open-source is not an easy path. I am still wondering how to find a business model that would help me to earn money in accordance with my values. If you have any clues, just shout a message.

Providing values to the community around the product is something I work on. With a code of conduct inherited from code covenant, I would like to leverage ethical goals like fighting against slavery and forced labor, empowering human rights, or Diversity, Equity, and Inclusion. Work In Progress.

Thank you for reading me so far.

With care,

Note: the original article is available here