DEV.co
AI Frameworks · casdoor

casdoor

Casdoor is an open-source identity and access management (IAM) platform with a web UI, built to handle authentication (OAuth, OIDC, SAML, LDAP, WebAuthn) and user provisioning at scale. It doubles as an AI gateway supporting Model Context Protocol (MCP) and agent-to-agent communication, making it relevant for both traditional enterprise auth and modern AI/LLM applications.

Source: GitHub — github.com/casdoor/casdoor
13.9k
GitHub stars
1.7k
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorycasdoor/casdoor
Ownercasdoor
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars13.9k
Forks1.7k
Open issues97
Latest releasev3.108.0 (2026-07-05)
Last updated2026-07-05
Sourcehttps://github.com/casdoor/casdoor

What casdoor is

Go-based backend (Beego framework) with React frontend, supporting mainstream databases (MySQL, PostgreSQL) and optional Redis caching. Implements standard protocols (OAuth 2.0, OIDC, SAML 2.0, CAS, LDAP, SCIM 2.0), role-based and attribute-based access control via Casbin, and emerging AI protocols (MCP, A2A). RESTful API with Swagger documentation.

Quickstart

Get the casdoor source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/casdoor/casdoor.gitcd casdoor# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Enterprise SSO and Multi-Protocol Auth

Organizations needing centralized authentication across multiple protocols (SAML, OIDC, LDAP) and support for WebAuthn/MFA. Casdoor's UI-first design and broad protocol support reduce integration friction versus reverse-proxy-only solutions.

AI/LLM Agent Gateway and Auth

Applications deploying AI agents that require secure inter-agent communication (A2A) and Model Context Protocol (MCP) gateway functionality. Casdoor's AI-first positioning and MCP support align directly with agent orchestration needs.

Self-Hosted SaaS and Multi-Tenant Deployments

Organizations prioritizing data sovereignty and on-premise or private-cloud deployments. Docker, Kubernetes Helm, and source-based deployment options support flexible hosting; multi-tenancy (organizations) is built-in.

Implementation considerations

  • Database choice (MySQL, PostgreSQL) and initial setup time (typically 15–30 min for source or Docker). Plan for persistent storage in containerized deployments.
  • Configuration via conf/app.conf requires upfront planning of database credentials, port binding, and provider settings. Review official docs before deployment.
  • Default demo credentials (built-in/admin / 123) must be changed immediately in any production environment. Enforce strong password policies and MFA.
  • Multi-protocol support (SAML, OIDC, LDAP) requires correct metadata/config for each identity provider. Allocate time for testing each integration.
  • Frontend build step (Node.js, Yarn) is required from source; Docker images simplify this for pre-built deployments.

When to avoid it — and what to weigh

  • Lightweight, Minimal Auth Proxy Requirements — If you need only basic API authentication or a thin session/token proxy, a simpler solution (e.g., reverse proxy with OAuth module) may be faster to deploy and operate than a full IAM server.
  • Strict Commercial Support and SLA Guarantees — Casdoor is open-source with community-driven support. If your organization requires vendor-backed SLAs, formal support contracts, or guaranteed response times, a commercial IAM platform may be more suitable.
  • Zero Configuration Infrastructure Needs — Casdoor requires database setup (MySQL, PostgreSQL, etc.), configuration file management, and ongoing maintenance. Serverless or fully managed auth services (e.g., Auth0, AWS Cognito) eliminate that operational overhead.
  • Proprietary/Legacy Protocol Requirements — If your environment relies on uncommon or internal authentication protocols not listed (OAuth, OIDC, SAML, CAS, LDAP, WebAuthn, TOTP), extension or custom connectors would be required.

License & commercial use

Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license. Permits commercial use, modification, and distribution provided original copyright notice and license text are retained. No patent grants or warranty provided.

Apache 2.0 permits commercial use, including in proprietary products. However, you must include a copy of the Apache 2.0 license and attribution in any distribution. No commercial support, SLAs, or liability protection are provided by the Casdoor project; you assume operational and maintenance responsibility. Consider engaging consulting or establishing internal expertise before production deployment.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityModerate
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Casdoor handles authentication and authorization; security posture depends on correct configuration, TLS termination, database hardening, and secret management. Source code is public (OSS), allowing community review but no formal security audit data is provided. WebAuthn, TOTP, and MFA features are included; enable them. Default credentials and demo mode restrictions (read-only demos) show security awareness. Operators are responsible for key rotation, audit logging review, and intrusion detection. No vulnerability disclosure policy is stated in provided data; review project before committing sensitive workloads.

Alternatives to consider

Auth0 / Okta

Cloud-managed, commercial IAM with broad protocol support, SLAs, and built-in security. Trade-off: vendor lock-in, higher cost, less customization. Better if you need guaranteed uptime and outsourced ops.

Keycloak

Open-source, Java-based IAM with similar protocol coverage (OIDC, SAML, LDAP). Trade-off: heavier resource footprint, different tech stack. Consider if your team prefers Java or existing Keycloak expertise.

Authentik

Open-source, Python-based, modern IAM. Trade-off: smaller ecosystem than Casdoor, less mature MCP/AI features. Lighter-weight than Casdoor; suitable for mid-market deployments without AI/agent needs.

Software development agency

Build on casdoor with DEV.co software developers

Start with Docker (all-in-one) or source installation. Review the official docs at casdoor.ai, test in a demo environment, then plan your production deployment strategy—database, TLS, backup, and provider integrations included.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

casdoor FAQ

Can I use Casdoor in a commercial product?
Yes. Apache 2.0 permits commercial use. You must include the license text and attribution. No SLA or commercial support is guaranteed by the project.
What databases does Casdoor support?
Mainstream options: MySQL, PostgreSQL, and others (see casdoor.ai/docs/overview). SQLite is available for quick trials via all-in-one Docker image. Production deployments should use MySQL or PostgreSQL with proper backups.
Do I need to modify Casdoor's code to integrate it with my app?
Not typically. Use the RESTful API, OAuth 2.0 / OIDC, or SAML integrations. SDKs (Go, Python, Node.js, Java) wrap common workflows. Custom extensions may be needed for uncommon protocols or policies.
What is MCP and why is it in Casdoor?
Model Context Protocol (MCP) is an emerging standard for AI agent communication. Casdoor's MCP gateway and A2A (agent-to-agent) features support secure, authenticated interaction between LLM-based agents. Use this if you're building multi-agent AI systems.

Custom software development services

Adopting casdoor is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate ai frameworks software in production.

Ready to Deploy Casdoor?

Start with Docker (all-in-one) or source installation. Review the official docs at casdoor.ai, test in a demo environment, then plan your production deployment strategy—database, TLS, backup, and provider integrations included.