Pronunciation: Kyvo is pronounced like "Key"vo — rhymes with English key plus vo.
An identity and access platform (IdP) for an ecosystem of applications: centralizes local authentication, issues JWT tokens via OIDC, organizes tenants (organizations), members, roles, OAuth applications, and supports federation with external providers (Firebase, Cognito, etc.).
Inspired by Keycloak-style platforms: a managed, multi-tenant IdP with its own admin console.
| Path | Use |
|---|---|
| Development | Clone the repo and follow GETTING_STARTED.md sections 1–6 (source, local PostgreSQL/Redis) |
| Production | Deploy kyvo-api + kyvo-frontend — GETTING_STARTED.md § Production (split images, external HTTPS proxy) |
| Maintainers | Build and push images — docs/DOCKER_PUBLISH.md |
backend/ ASP.NET Core 8 API — Clean Architecture (Domain / Application / Infrastructure / API)
Helper tool: tools/GenerateOidcKey (writes the RSA key into the API folder)
frontend/ Admin SPA — React 19 + MUI + React Router 7 + Vite
samples/ Reference consumer applications (e.g., pulse-crm — SaaS CRM + OIDC)
rules/ Standards and conventions: backend-rules.md, frontend-rules.md
docker/ API entrypoint script (split images: backend/ and frontend/ Dockerfiles)
docs/ Maintainer guides (e.g. Docker image publishing)
.github/ CI workflows (Docker publish on version tags)
| Document | Content |
|---|---|
| GETTING_STARTED.md | Development (§1–6) and production Docker deploy (§7) |
| docs/DOCKER_PUBLISH.md | Build/push images: CI workflow and manual commands |
| rules/backend-rules.md | Backend conventions, formatting, options pattern, secrets, OIDC |
| rules/frontend-rules.md | Frontend conventions, env vars with defaults, OIDC flow |
| backend/README.md | Backend architecture, configuration, endpoints, migrations, OIDC |
| frontend/README.md | Frontend stack, environment variables, OIDC flow, and pages |
| samples/README.md | Sample consumers and OAuth checklist in the admin console |
| samples/pulse-crm/README.md | PulseCRM: how to run and test the OIDC integration |
| Concept | Description |
|---|---|
| Local IdP | Email + password authentication stored with BCrypt. Configured at bootstrap. |
| OIDC | Authorization code + PKCE flow. RS256 tokens. Discovery at /.well-known/openid-configuration. |
| Multi-tenant | Users belong to multiple tenants with independent roles. |
| Platform admin | Users with prole=plat_admin manage tenants, applications, and global IdPs. |
| OAuth applications | Registry of consumer apps with public (PKCE) or confidential clients. |
| Identity Providers | Extensible federation: Local (default), Firebase, Cognito, Generic. Each declares IdpCapability flags (LocalPassword, GoogleSocial, etc.) with hard-lock for email/password and conflict warnings for socials. |
| Self-registration | Central /account/register page on the IdP with configurable password policy and rate limiting. Consumer apps redirect to OIDC; they never expose private signup endpoints. |
| Modern login UI | Login and register pages are served by Blazor Web App Static SSR (no MVC views). Google sign-in uses Firebase signInWithPopup, then POST /account/external-signin to continue the OAuth returnUrl. |
| Secret protection | IdP credentials (Firebase ServiceAccount, WebApiKey) are encrypted at rest via ASP.NET Core Data Protection. |
| Audit logs | Event tracking per tenant. |
- .NET 8 SDK
- Node.js (LTS)
- PostgreSQL 14+
- Redis (optional)
For the full installation guide see GETTING_STARTED.md.