Preface
Building an Identity and Access Management (IAM) server from scratch is comparable to writing a kernel for a small operating system. Where an OS kernel manages memory, processes, and hardware access, an Identity Server manages principals, sessions, and authorization graphs.
Most contemporary web applications delegate login to third-party services such as Auth0, Clerk, or Cognito. These services are excellent for prototypes. But as a product matures into a platform — as it accumulates multi-tenant workspaces, custom auth policies, OIDC federation, fine-grained RBAC, and audit obligations — the rigid constraints of an external IAM begin to suffocate product development.
This book follows the construction of Rooiam, a fully custom, open-source IAM platform written in Rust (Actix-web), backed by PostgreSQLand Redis. Each chapter dissects one core problem of identity — from the most fundamental question of what is a user? all the way through OIDC federation, hardware-bound passkeys, cryptographic audit trails, and enterprise network policy.
Who This Book Is For
This book is written for software engineers at any level who want to understand identity systems from first principles. You do not need prior security experience. Each chapter builds on the previous one, introduces the theoretical problem before any code, and always shows you the actual Rust source that Rooiam runs in production.
How Each Chapter Works
Every chapter follows the same four-part structure:
- The Problem — a clear, intuitive statement of the failure mode or attack that motivates the design.
- Theory — the computer-science or cryptographic concept that solves the problem, explained from scratch.
- Database Design — the PostgreSQL schema that encodes the solution durably and correctly.
- Rust Implementation — the actual
rooiam-servercode that executes the solution on every request.
Each chapter closes with a Chapter Summary and a short set ofExercises to solidify understanding.
The Stack at a Glance
| Layer | Technology | Role |
|---|---|---|
| Language | Rust | Memory-safe, zero-cost, compiled server |
| Framework | Actix-web 4 | Async HTTP, middleware, extractors |
| Database | PostgreSQL 16 | ACID transactions, JSONB, UUID primary keys |
| Cache | Redis | Session rate-limit counters, OAuth state tokens |
| ORM | sqlx | Compile-time checked SQL, async queries |
| Auth | OIDC / RFC 6749 | Standard protocol for app federation |
Table of Contents
- Chapter 1: The Core Database
- Chapter 2: Magic Link Authentication
- Chapter 3: Stateful Sessions
- Chapter 4: Social Logins
- Chapter 5: Multi-Tenant Architecture
- Chapter 6: The OIDC Provider
- Chapter 7: Threat Modeling
- Chapter 8: Permissions & Roles
- Chapter 9: MFA & Passkeys
- Chapter 10: Audit Logs
- Chapter 11: Machine Identity & API Keys
- Chapter 12: Corporate Guardrails