franz/forseti

Fork 0

A self-service UI and OAuth2 login/consent/logout bridge for Ory Kratos + Ory Hydra https://gofranz.com/software/forseti/

hydra kratos oauth2 oidc

Rust 76.3%
HTML 17.8%
TypeScript 4.1%
Makefile 0.6%
PLpgSQL 0.4%
Other 0.6%

Find a file

Franz Geffke f49627df9a feat: enterprise SAML SSO via the Jackson bridge		2026-06-10 16:04:31 +01:00
.github/workflows	feat: enterprise SAML SSO via the Jackson bridge	2026-06-10 16:04:31 +01:00
assets	feat: app-aware client onboarding, OIDC connection details, and admin configuration page	2026-06-09 16:11:29 +01:00
docs	feat: enterprise SAML SSO via the Jackson bridge	2026-06-10 16:04:31 +01:00
infra	feat: enterprise SAML SSO via the Jackson bridge	2026-06-10 16:04:31 +01:00
migrations	feat: enterprise SAML SSO via the Jackson bridge	2026-06-10 16:04:31 +01:00
src	feat: enterprise SAML SSO via the Jackson bridge	2026-06-10 16:04:31 +01:00
templates	feat: enterprise SAML SSO via the Jackson bridge	2026-06-10 16:04:31 +01:00
tests	feat: enterprise SAML SSO via the Jackson bridge	2026-06-10 16:04:31 +01:00
.djlintrc	chore: add djLint config and reformat templates	2026-05-31 08:00:57 +01:00
.dockerignore	chore: add CI, Docker packaging, and release config	2026-05-30 20:40:31 +01:00
.envrc	feat: initial commit	2026-05-30 20:02:40 +01:00
.gitignore	feat: enterprise SAML SSO via the Jackson bridge	2026-06-10 16:04:31 +01:00
Cargo.lock	feat: enterprise SAML SSO via the Jackson bridge	2026-06-10 16:04:31 +01:00
Cargo.toml	feat: enterprise SAML SSO via the Jackson bridge	2026-06-10 16:04:31 +01:00
CHANGELOG.md	feat: enterprise SAML SSO via the Jackson bridge	2026-06-10 16:04:31 +01:00
config.ci.toml	feat: enterprise SAML SSO via the Jackson bridge	2026-06-10 16:04:31 +01:00
config.example.toml	feat: enterprise SAML SSO via the Jackson bridge	2026-06-10 16:04:31 +01:00
CONTRIBUTING.md	feat: initial commit	2026-05-30 20:02:40 +01:00
deny.toml	chore: add CVE scanning, bump base image to trixie, update CI actions	2026-06-01 18:02:37 +01:00
Dockerfile	chore: add CVE scanning, bump base image to trixie, update CI actions	2026-06-01 18:02:37 +01:00
LICENSE	feat: initial commit	2026-05-30 20:02:40 +01:00
LICENSE-COMMERCIAL	feat: initial commit	2026-05-30 20:02:40 +01:00
Makefile	feat: enterprise SAML SSO via the Jackson bridge	2026-06-10 16:04:31 +01:00
manifest.scm	feat: initial commit	2026-05-30 20:02:40 +01:00
README.md	feat: enterprise SAML SSO via the Jackson bridge	2026-06-10 16:04:31 +01:00

README.md

Forseti

A self-service identity portal for Ory Kratos and Ory Hydra — login, registration, account recovery, MFA, OAuth2 consent, and admin tooling, all server-rendered in Rust.

Forseti is the web frontend Ory doesn't ship: a single binary that speaks to Kratos (identity) and Hydra (OAuth2/OIDC) and gives your users real screens for every self-service flow, plus an admin surface for operators.

Download

Prebuilt binaries for x86_64 and aarch64 Linux (glibc) are attached to every release:

# binary + the static/ assets it serves
curl -L -o forseti.tar.gz https://github.com/franzos/forseti/releases/latest/download/forseti-x86_64-unknown-linux-gnu.tar.gz
tar -xzf forseti.tar.gz
cd forseti-x86_64-unknown-linux-gnu
cp config.example.toml config.toml   # then edit it
./forseti

Or pull the container image from the GitHub Container Registry:

podman pull ghcr.io/franzos/forseti:latest
podman run --rm -p 3000:3000 \
  -v ./config.toml:/app/config.toml:ro \
  ghcr.io/franzos/forseti:latest

Both need a reachable Kratos and Hydra — see the operator guide. The binary reads ./config.toml (override with FORSETI_CONFIG_PATH) and serves ./static relative to its working directory.

Runtime note: the binary links dynamically against libpq (the Postgres client). On a bare host install libpq5 (Debian/Ubuntu) or libpq (most other distros); the container image already includes it. SQLite is bundled, so it needs nothing extra.

Why Forseti

Ory's engines are excellent, but headless. You get APIs; your users need pages. Forseti fills that gap:

Every Kratos flow, server-rendered — login, registration, recovery, verification, settings (profile, password, MFA/TOTP, social logins, sessions)
Hydra OAuth2 bridge — login, consent, and logout screens for the OAuth2/OIDC authorization-code flow
Admin surface — manage identities, sessions, OAuth2 clients; append-only audit log; status dashboard
Organizations — multi-tenant orgs with members, invites, branding, and per-org OIDC claims
Production-minded — CSRF on every form, signed cookies, rate-limited DCR, account-deletion webhook saga

Status

Pre-release / active development. Core flows work end-to-end against the Ory playground; APIs, config, and schema are still moving. Pin a commit if you build on it.

Build from source

# 1. Bring up the playground (Kratos, Hydra, Mailcrab, Postgres)
make stack-up

# 2. Seed a deterministic admin (password + TOTP)
make seed-admin

# 3. Run Forseti (debug build) at :3000
make run

Open http://localhost:3000. Register at /registration, grab the verification email from Mailcrab at http://127.0.0.1:4436, and you're in.

For the full OAuth2 dance — register a Hydra client, run an auth-code flow, exchange a token — see .claude/skills/ory-up/SKILL.md or the integration guide.

How it fits together

      Browser
         |
         v
+------------------+        admin (server-only)
|     Forseti      | --------------------------------+
|   Rust / Axum    |                                 |
|       :3000      | --+                             |
+------------------+   |                             |
         |             |                             |
         | browser     | browser                     |
         |             |                             v
   +------------+ +------------+             | Kratos admin   |
   |  Kratos    | |   Hydra    |             | Hydra admin    |
   |  public    | |  public    |             | (internal only)|
   +------------+ +------------+             +-----------------+
         |             |
         +------+------+
                |
                v
         +--------------+
         |  Database    |
         | Postgres /   |
         |   SQLite     |
         +--------------+

Documentation

Operator guide — deployment topology, Kratos/Hydra config, secrets, backups
Operator guide — reverse proxy — proxy topology, cookies, CSRF, CORS
Integration guide — consuming Forseti as an OIDC provider
Commercial features — licensing model, plus the Organizations and Enterprise SAML SSO guides

License

Forseti is dual-licensed:

AGPL-3.0 for the open-source core (everything outside src/commercial/)
Commercial license for paid features in src/commercial/ (see MONETIZATION.md and LICENSE-COMMERCIAL)

Built on Ory Kratos and Ory Hydra.

Forseti — named for the Norse god of justice and reconciliation.