Self-hosted IAM with Spring Boot 3 microservices. OAuth 2.1, OIDC, PKCE, MFA, RBAC, and multi-realm tenancy — the Keycloak alternative you own completely.
11
Microservices
OAuth 2.1
Standard
MIT
License
Java 21
Runtime
Deploy anywhere
Choose your stack and have OpenGate running in minutes.
Docker
Up and running in seconds.
Docker Compose
Full stack with one compose file.
Kubernetes / Helm
Helm chart for production clusters.
Spring Boot
Drop-in Keycloak replacement.
PostgreSQL
Primary relational datastore.
HashiCorp Vault
Dynamic secrets & PKI management.
OAuth 2.1 / OIDC
PKCE, Device Flow, Refresh Token.
Next.js / React
PKCE login for your SPA.
Markdown Docs
Full reference documentation.
Nginx
Reverse-proxy & TLS termination.
OpenJDK / JAR
Run directly on any JVM 21+ host.
Kafka Events
Audit & notification streaming.
System design
11 independently deployable microservices. Hover a node to highlight connections.
Everything you need
Identity management as 11 independent microservices.
OAuth 2.1 / OIDC
Auth Code + PKCE, Client Credentials, Refresh Token, Device Flow.
Multi-Realm Tenancy
Fully isolated users, roles, clients, and sessions per realm.
MFA & Passwordless
TOTP, Email OTP, SMS OTP, backup codes.
RBAC & Groups
Fine-grained roles, composite roles, groups, user-role mappings.
Event Streaming
Kafka-powered audit events for every authentication action.
Microservice Native
11 independent Spring Boot 3 services — scale each separately.
Full Observability
Prometheus, OpenTelemetry, structured JSON logs, Grafana.
Spring Auth 1.3
RSA-2048 JWT, JWKS endpoint, issuer discovery, OIDC userinfo.
60-second setup
Run the complete stack with Docker Compose.
# Clone the repository git clone https://github.com/MuyleangIng/opengate-iam.git cd opengate-iam # Start the full stack (PostgreSQL · Redis · Kafka · 11 services) docker compose up -d # Admin Console → http://localhost:3002 # Sample App → http://localhost:3003 # Auth Endpoint → http://localhost:9080
Microservices
Each service is independently deployable, scalable, and observable.
| Service | Port | Responsibility |
|---|---|---|
opengate-gateway | :9080 | API gateway — routing, CORS, rate limiting |
opengate-auth-service | :9081 | OAuth2/OIDC authorization server (Spring Auth Server 1.3) |
opengate-user-service | :9082 | User lifecycle — CRUD, passwords, email verification |
opengate-realm-service | :9083 | Multi-tenant realm configuration and management |
opengate-rbac-service | :9084 | Roles, composite roles, groups, and policy evaluation |
opengate-client-service | :9085 | OAuth2 client registry — secrets, redirect URIs, PKCE |
opengate-mfa-service | :9086 | TOTP, email/SMS OTP, backup codes, and MFA enrollment |
opengate-session-service | :9087 | Redis-backed sessions, revocation, and device tracking |
opengate-notification | :9088 | Email templates via Kafka events and SMTP delivery |
opengate-admin-api | :9089 | Aggregated admin REST API (WebFlux reactive) |
opengate-sample-app | :8090 | Demo REST API protected by OpenGate (reference integration) |
Community
Report issues, submit PRs, and shape the future of OpenGate IAM.
Report a Bug
Found something broken?
Open Issue →Submit a PR
Contributions are welcome.
Contribute →Star on GitHub
Show your support.
Star ★ →❤️ Sponsor this project
OpenGate IAM is built by a solo developer. Your sponsorship keeps the project alive and funds new features.