casdoor
Casdoor is an open-source identity and access management (IAM) platform with a web UI, built to handle authentication (OAuth, OIDC, SAML, LDAP, WebAuthn) and user provisioning at scale. It doubles as an AI gateway supporting Model Context Protocol (MCP) and agent-to-agent communication, making it relevant for both traditional enterprise auth and modern AI/LLM applications.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | casdoor/casdoor |
| Owner | casdoor |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 13.9k |
| Forks | 1.7k |
| Open issues | 97 |
| Latest release | v3.108.0 (2026-07-05) |
| Last updated | 2026-07-05 |
| Source | https://github.com/casdoor/casdoor |
What casdoor is
Go-based backend (Beego framework) with React frontend, supporting mainstream databases (MySQL, PostgreSQL) and optional Redis caching. Implements standard protocols (OAuth 2.0, OIDC, SAML 2.0, CAS, LDAP, SCIM 2.0), role-based and attribute-based access control via Casbin, and emerging AI protocols (MCP, A2A). RESTful API with Swagger documentation.
Get the casdoor source
Clone the repository and explore it locally.
git clone https://github.com/casdoor/casdoor.gitcd casdoor# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Database choice (MySQL, PostgreSQL) and initial setup time (typically 15–30 min for source or Docker). Plan for persistent storage in containerized deployments.
- Configuration via conf/app.conf requires upfront planning of database credentials, port binding, and provider settings. Review official docs before deployment.
- Default demo credentials (built-in/admin / 123) must be changed immediately in any production environment. Enforce strong password policies and MFA.
- Multi-protocol support (SAML, OIDC, LDAP) requires correct metadata/config for each identity provider. Allocate time for testing each integration.
- Frontend build step (Node.js, Yarn) is required from source; Docker images simplify this for pre-built deployments.
When to avoid it — and what to weigh
- Lightweight, Minimal Auth Proxy Requirements — If you need only basic API authentication or a thin session/token proxy, a simpler solution (e.g., reverse proxy with OAuth module) may be faster to deploy and operate than a full IAM server.
- Strict Commercial Support and SLA Guarantees — Casdoor is open-source with community-driven support. If your organization requires vendor-backed SLAs, formal support contracts, or guaranteed response times, a commercial IAM platform may be more suitable.
- Zero Configuration Infrastructure Needs — Casdoor requires database setup (MySQL, PostgreSQL, etc.), configuration file management, and ongoing maintenance. Serverless or fully managed auth services (e.g., Auth0, AWS Cognito) eliminate that operational overhead.
- Proprietary/Legacy Protocol Requirements — If your environment relies on uncommon or internal authentication protocols not listed (OAuth, OIDC, SAML, CAS, LDAP, WebAuthn, TOTP), extension or custom connectors would be required.
License & commercial use
Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license. Permits commercial use, modification, and distribution provided original copyright notice and license text are retained. No patent grants or warranty provided.
Apache 2.0 permits commercial use, including in proprietary products. However, you must include a copy of the Apache 2.0 license and attribution in any distribution. No commercial support, SLAs, or liability protection are provided by the Casdoor project; you assume operational and maintenance responsibility. Consider engaging consulting or establishing internal expertise before production deployment.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Strong |
| Assessment confidence | High |
Casdoor handles authentication and authorization; security posture depends on correct configuration, TLS termination, database hardening, and secret management. Source code is public (OSS), allowing community review but no formal security audit data is provided. WebAuthn, TOTP, and MFA features are included; enable them. Default credentials and demo mode restrictions (read-only demos) show security awareness. Operators are responsible for key rotation, audit logging review, and intrusion detection. No vulnerability disclosure policy is stated in provided data; review project before committing sensitive workloads.
Alternatives to consider
Auth0 / Okta
Cloud-managed, commercial IAM with broad protocol support, SLAs, and built-in security. Trade-off: vendor lock-in, higher cost, less customization. Better if you need guaranteed uptime and outsourced ops.
Keycloak
Open-source, Java-based IAM with similar protocol coverage (OIDC, SAML, LDAP). Trade-off: heavier resource footprint, different tech stack. Consider if your team prefers Java or existing Keycloak expertise.
Authentik
Open-source, Python-based, modern IAM. Trade-off: smaller ecosystem than Casdoor, less mature MCP/AI features. Lighter-weight than Casdoor; suitable for mid-market deployments without AI/agent needs.
Build on casdoor with DEV.co software developers
Start with Docker (all-in-one) or source installation. Review the official docs at casdoor.ai, test in a demo environment, then plan your production deployment strategy—database, TLS, backup, and provider integrations included.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
casdoor FAQ
Can I use Casdoor in a commercial product?
What databases does Casdoor support?
Do I need to modify Casdoor's code to integrate it with my app?
What is MCP and why is it in Casdoor?
Custom software development services
Adopting casdoor is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate ai frameworks software in production.
Ready to Deploy Casdoor?
Start with Docker (all-in-one) or source installation. Review the official docs at casdoor.ai, test in a demo environment, then plan your production deployment strategy—database, TLS, backup, and provider integrations included.