Casdoor

Open-source Identity and Access Management (IAM) / SSO platform. Casdoor provides OAuth 2.0, OIDC, SAML, and CAS protocols for single sign-on across applications. Built by the Casbin team (popular authorization library), Casdoor integrates natively with Casbin for both authentication AND authorization. Provides user management, organization management, MFA, social login (GitHub, Google, WeChat), and a REST API for programmatic identity management. Self-hostable alternative to Auth0 or Okta.

Evaluated Mar 06, 2026 (0d ago) v1.x
Homepage ↗ Repo ↗ Security sso oauth2 oidc saml identity open-source self-hosted casbin multi-tenant
⚙ Agent Friendliness
55
/ 100
Can an agent use this?
🔒 Security
82
/ 100
Is it safe for agents?
⚡ Reliability
70
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
75
Error Messages
70
Auth Simplicity
78
Rate Limits
72

🔒 Security

TLS Enforcement
90
Auth Strength
82
Scope Granularity
78
Dep. Hygiene
78
Secret Handling
80

Apache 2.0 open source for full auditability. OAuth2/OIDC standards compliance. MFA support (TOTP, SMS, email). Password hashing with bcrypt. Self-hosted — all data stays in your infrastructure. Security posture depends entirely on deployment configuration. No external compliance certifications.

⚡ Reliability

Uptime/SLA
68
Version Stability
72
Breaking Changes
70
Error Recovery
72
AF Security Reliability

Best When

You want a free, self-hosted Auth0-like platform with full control over user data — especially if you're already using Casbin for authorization.

Avoid When

You need managed IAM with SLA guarantees and compliance certifications — Casdoor's value is control and cost, not managed reliability.

Use Cases

  • Implement SSO across agent-powered applications with OIDC — agents authenticate users once via Casdoor and receive JWT tokens for downstream service calls
  • Manage agent service accounts programmatically via Casdoor REST API — create, update, and rotate application credentials without manual dashboard intervention
  • Build multi-tenant SaaS products with Casdoor's organization model — each customer organization gets isolated user management while sharing core infrastructure
  • Integrate social login (Google, GitHub, Microsoft) into agent-facing UIs without implementing OAuth flows per provider — Casdoor normalizes all providers to OIDC
  • Combine Casdoor authentication with Casbin authorization for complete identity + permissions management in agent-driven platforms from a single ecosystem

Not For

  • Teams needing managed cloud IAM without infrastructure burden — Casdoor is self-hosted; Auth0, Clerk, or WorkOS provide managed alternatives
  • Enterprise compliance requirements (SOC2, FedRAMP) out of the box — self-hosted Casdoor requires you to achieve compliance independently
  • Mobile-first auth flows — Casdoor's strength is web SSO; mobile-specific auth patterns may need additional implementation

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
Yes
OpenAPI Spec ↗

Authentication

Methods: oauth2 api_key bearer_token
OAuth: Yes Scopes: Yes

Casdoor uses OAuth2 client credentials for application auth. Admin API uses bearer tokens from user login. Machine-to-machine uses client_id/client_secret for application tokens. User authentication via OIDC/OAuth2 flows.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

Apache 2.0 open source. All features available in open source version — no enterprise paywall for core features. Infrastructure costs only. Casdoor Cloud provides managed hosting for teams that want SaaS experience.

Agent Metadata

Pagination
page_number
Idempotent
Partial
Retry Guidance
Not documented

Known Gotchas

  • Casdoor's REST API documentation is less polished than commercial alternatives — some endpoints are only documented via Swagger UI or source code; plan for API exploration time
  • Casdoor handles authentication but delegates authorization to Casbin — agents that need both auth and authz must configure both systems; they're complementary but separate
  • Multi-provider social login requires per-provider OAuth app setup in each provider's developer console — Casdoor manages the flow but agents must provision provider apps manually
  • Casdoor's organization model scopes users to organizations — agents managing multi-tenant systems must include organization context in API calls or operations affect the wrong tenant
  • SAML integration requires careful assertion configuration — SAML attribute mapping for enterprise IdP integration may require non-trivial XML configuration debugging
  • Token signing keys must be managed securely — if Casdoor's OIDC signing keys are rotated or lost, all issued tokens become invalid and applications must re-authenticate users
  • Self-hosting requires PostgreSQL/MySQL/SQLite + Redis — infrastructure management responsibility; database backups critical as user credential loss cannot be recovered

Alternatives

zitadel-api fusionauth-api keycloak-api clerk-api workos-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Casdoor.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5215
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered