MCIAS

The Metacircular Identity and Access System (MCIAS) provides standard tools for user and access management among metacircular and wntrmute systems.

Build an authentication service written in Go that I can use with other apps that I write.

Specifications

Applications should be able to either do an interactive login, using a username/password (and potentially a TOTP), or present a token.
Applications should be able to renew the token, which would nominally expire after some period (defaulting to maybe 30 days).
There are two kinds of users: human and system accounts.
System accounts can only present a token; they have a single token associated with that account at a time.
User accounts have roles associated with them.
Users with the admin role can issue tokens for any app, or users with the role named the same as a service account can issue tokens for that service account.
Admin users can also revoke tokens for a service account.
Service accounts (and users with the a role named the same as the service account) can also retrieve Postgres database credentials for the service account.

User passwords will be stored using scrypt.
The service account tokens and user/password authentication can be used to obtain a JWT, if that is appropriate.
All authentication events should be logged.
This service should use the packages contained in git.wntrmute.dev/kyle/goutils for logging etc.

The primary interface will be an REST API over HTTPS. TLS security is critical for this.
There should be two command line tools associated with MCIAS:
- mciassrv is the authentication server.
- mciasctl is the tool for admins to create and manage accounts, issue or revoke tokens, and manage postgres database credentials.

What are the security considerations here?
This is a system for small, personal services. Manual user lifecycle managment is acceptable and expected. Federation is an explicit nongoal.