OpenGate/ Docs

Introduction

OpenGate IAM is a fully open-source, self-hosted Identity & Access Management platform built with Spring Boot 3 microservices and a Next.js 14 Admin Console — inspired by Keycloak and Okta but engineered as true cloud-native microservices.

Production-ready

OpenGate implements OAuth 2.1, OIDC, PKCE, TOTP MFA, RBAC, and multi-tenancy (Realms) out of the box.

On this page

What is OpenGate IAM?

OpenGate provides everything you need to secure your applications:

CapabilityDescription
Multi-realm tenancyIsolate users, roles, and clients per organization
OAuth 2.1 / OIDCauthorization_code + PKCE, client_credentials, refresh_token
MFATOTP (Google Authenticator), email OTP, SMS OTP, backup codes
RBACRoles, composite roles, groups, user-role mappings
SessionsRedis-backed, configurable TTL, per-device tracking
Audit eventsKafka-driven event streaming for all auth events
Admin ConsoleNext.js 14 with real-time stats and management UI

Platform Architecture

Live System · Microservices

OpenGate IAM

Architecture Overview · True Microservices · Event-Driven

Client Layer
Client Applications
Browser · Mobile · Backend
SPANative AppServer-SideHTTPS :443
HTTPS :443
Proxy / CDN
Reverse Proxy
Nginx · Traefik · ALB
SSL TerminationLoad BalancingCDN
HTTP :8080
API Gateway
Spring Cloud Gateway · :8080
opengate-gateway
Single Entry Point · JWT Validation · CORS · Rate Limiting
CORS
Routing
Rate Limiting
Request Log
OAuth2 RS
Microservices
auth
Auth
:8081
user
User
:8082
realm
Realm
:8083
rbac
RBAC
:8084
client
Client
:8085
mfa
MFA
:8086
Persistence Layer
Cache
Redis
:6379
SessionsOTPsBlacklist
Database
PostgreSQL 16
_auth_user_realm_rbac_clients_notif
Event Stream
Message Bus
Apache Kafka
Event Stream · Async Communication
user.createdauth.login.successauth.login.failureauth.logoutsession.terminatedmfa.otp_sent
Consumers
session-service
Session
:8087
notification-service
Notification
:8088
Outputs
Email
SMTP Server
Notifications · Alerts
Management
Admin API
:8089
Design Principles
IsolationDB per Service
EntrySingle Gateway
ServicesStateless
ConsistencyEventual (Kafka)
TenancyMulti (Realms)
State Distribution
PostgreSQLEntities
RedisSessions · OTPs
RedisRate Counters
RedisToken Blacklist
KafkaAudit Trail
Security Model
GatewayJWT Validation
ServicespermitAll
Realm scopeJWT claim
DB queriesrealm_name pred
Auth RedisTTL codes/tokens

Services Overview

opengate / gatewayGateway
:8080

Spring Cloud Gateway — API router, CORS, rate limiting, request logging

Spring Cloud GatewayRedis
🔐
opengate / authAuth
:8081

OAuth2/OIDC Authorization Server with Spring Authorization Server 1.3

Spring Auth ServerJWTRedis
👤
opengate / userUser
:8082

User lifecycle management — CRUD, password, email verification

Spring Data JPABCryptKafka
🏛
opengate / realmRealm
:8083

Multi-tenant realm configuration — themes, token settings, SMTP

Spring Data JPAFlyway
🛡
opengate / rbacRBAC
:8084

Role-based access control — roles, groups, policy evaluation

Spring Data JPARBAC
🔗
opengate / clientClient
:8085

OAuth2 client registry — registration, secrets, redirect URIs

Spring Data JPASecureRandom
🔑
opengate / mfaMFA
:8086

Multi-factor auth — TOTP, email/SMS OTP, backup codes

HMAC-SHA1RedisTOTP
opengate / sessionSession
:8087

Session management — Redis-backed, multi-device, revocation

Spring RedisKafka
opengate / notificationNotification
:8088

Email notifications via Thymeleaf templates and SMTP

ThymeleafJavaMailKafka
opengate / adminAdmin API
:8089

Aggregated admin REST API — proxies all management operations

WebFluxWebClient

Tech Stack

LayerTechnologyVersion
LanguageJava21
FrameworkSpring Boot3.3.0
BuildGradle (Kotlin DSL)8.7
AuthSpring Authorization Server1.3
DatabasePostgreSQL + Flyway16
CacheRedis7
MessagingApache Kafka (KRaft)7.6
SecretsHashiCorp Vault1.16
Admin UINext.js + TypeScript14
DocsNext.js + MDX14