Boruta - Yet an other OAuth 2.0 provider

Hi there!

I’ve been working on an OAuth provider for quite a time now. I published a package including the functional core and its corresponding Ecto/Cache adapters. Being quite new in the Elixir world, all feedbacks are welcome !


The package is based on an hexagonal architecture, Application layer is still a work in progress.

I use the package for personal projects, the interface begins to be stable while I integrate it. If it looks good for you and want to integrate it do not hesitate to reach me out.

It was an happy journey developing the package as it was intended to have a use case in order to learn Elixir.


Thanks for sharing your library with us :slight_smile:

Whats is the meaning of Boruta?

Just a word of caution… Your package is a work in progress but already released as 1.0.0 and that means a stable library that is production ready.

In my opinion you should have started with 0.1.0.

Also, can you explain why the current libraries were not suitable for you?

1 Like

I use to start with 0.X releases. As I made breaking changes, I incremented the major version in order to impact that. Was not aware about the fact that 1.0 meant to be production ready. Application layer is decoupled from the core which is kind of stable with the use cases I faced, hence the release. That said there is no production use case yet.

Boruta is a demon guarding a castle in a small town in Poland. I have one representation of him by my home keeping me from bad fate. It is said that if you have such a demon at home nothing can happen to you.

Other packages might surely be suitable and easier to integrate, I built the package in order to test hexagonal architecture in such use case. It is suitable if you want to decouple users and authorization logic. It is better to test it too by Moxing the secondary adapters.

1 Like

Well, not really. 1.0.0 when using SemVer mean that the API is stable, and will not change as long as major version stays the same. It doesn’t say anything about “production readiness” nor even “stability” (depending on the definition of “stable”).

Actually he is a devil :wink: If you want to see more about it, then you can check out “Legendy Polskie” (Polish Legends) which is series of short movies (it was meant to be fully cinematic, but they canceled it):


In my opinion the common sense is that 1.0.0 means something that is production ready, at least is what I have seen in all my years amongst all developers I work with, in forums, etc., but I understand that others may see it differently.

SemVer is not a good standard, and a lot of developers and libraries use the x.y.z version scheme without necessarily understand it or even knowing that others may thing they are using it, and also a lot of developers give in their work a different meaning to each part of x.y.z, but less not start discussing SemVer here, because this thread is about Boruta :slight_smile:

1 Like

Happy to announce the release of 2.0.0-rc.0 :slight_smile:

This release includes some improvements but mainly the support of OpenID Connect core 1.0 and provides generators in order to create basic controllers to expose the specification required endpoints. For now, the version looks to be stable, but still, I put it as a release candidate to see what comes out.

Notice that the package passes OpenID certification test suite. Since it is only indicative, I still need to submit an application which may be done any time in the future.

Have a look at boruta | Hex. As usual, all feedbacks are very welcome.



I don’t yet have a use for this, (possibly soon), but I’m quite surprised there isn’t more visible interest in this. Amazing work - thanks!


Hi again,

I just released the 2.0 stable version of Boruta, release candidate has been here for long enough to show the stability of the authorization API. There is still room for improvement for administration tools, they will come up along the way. It includes minor fixes and improved documentation like a how-to setup an authorization provider from scratch. Hoping it would help integrations. (Note that you have a few breaking changes to upgrade from release candidate listed in CHANGELOG)

For a reminder, the package is meant to implement OAuth 2.0 and OpenID Connect core 1.0 specifications in order to bring the core of an authorization server. One of the specificities of the implementation is that it is uncoupled with your user models using hexagonal architecture. Along with the core, you can generate basic Phoenix controllers, views, and templates to expose the specifications required endpoints. Have a look at and at GitLab if you want to dig deeper, I would be happy to receive feedback.

Besides the package, I am working on a standalone version that would help to deploy an authorization provider instance easily. For that, it would include also an identity provider and an administration interface. I would be happy to have people involved in the decisions to take about the features to implement. The objective would be to define and shape the features you could be interested in, keeping in mind to target a lightweight open source IAM server. Do not hesitate to reach me if you wanna discuss it.

Thanks for reading me so far,


Hello there :slight_smile:

A quick notice about the release of version 2.0.1. In it, I gave an effort for the generated provider along with phx.gen.auth to pass the OpenID certification. It includes in particular a fix for the hybrid flow error return type following the specification.

I built a server using the package and its generated controllers that now pass the automated tests provided by the OpenID Foundation for the basic, implicit, and hybrid OpenID provider profiles (pull requests for jwks and userinfo endpoints are on the way). I’ll give a note here when I would be sure I can open-source the deployment that passed the tests suite. Keep you posted.



I just released version 2.1.0 of boruta. It includes the addition of OpenID Connect userinfo and jwks endpoints management.

This release helped to build an example server (patatoid / boruta_example · GitLab). It will be the basis to fill out an application to the OpenID Foundation certifications. The steps to achieve this provider have been documented on, hoping it is accurate and helps further integrations.

The next step is to submit an application which could happen very soon.

Keep safe


Hi there,

Version 2.1.0 finally got certified for the basic and implicit OpenID profiles :tada: . Hybrid profile is much more than advanced, I am discussing a specific point I could not understand well (returned errors encoding) and hope to have such a certification soon.

Elixir have now its own section in the listed OpenID provider libraries Certified OpenID Connect Implementations | OpenID. If anyone think descriptions or documentation can be improved to give a better visibility to the package, it would be very welcome.

Note that I also released 2.1.1 that fixed a dialyzer warning that was introduced in 2.1.0.

Thanks for the community that greatly helped it to be done.

Hope the best, happy coding!


I finally got certified for the hybrid OpenID profile and released version 2.1.2 that fixes the hybrid specific error return encoding issue.

It is a huge step for the library, going on the way, I still have in mind to provide a standalone version. Hoping I can give you soon news about it, there is still a lot of work to be done.

Hope the best!