A high-performance, asynchronous Identity-Aware Proxy (IAP) implementing Zero Trust architecture principles for securing legacy infrastructure.
Legacy applications (such as ERP systems and corporate intranet portals) often lack modern authentication and contextual access control mechanisms.
Zero Trust Gateway introduces a micro-perimeter in front of these legacy workloads, enforcing strict Identity, Device, and Context-based authorization before any request reaches the backend service.
This implementation follows NIST SP 800-207 Zero Trust Architecture guidelines, leveraging Python’s asynchronous networking capabilities (aiohttp) for high throughput and minimal latency.
Built on aiohttp, enabling non-blocking I/O and support for thousands of concurrent inbound connections.
All requests must include a JSON Web Token (JWT) signed by a trusted Identity Provider.
Claims evaluated include:
sub(User ID)roles(RBAC mapping)exp(Token expiry)ip(Optional: last known IP binding)
Each request is validated against:
- IP Whitelisting Policies
- Role-Based Access Control (RBAC)
- Time-based or Context-based Policies (optional future extension)
If the request fails any check, the gateway denies access before touching the upstream service.
The real application endpoint (e.g., SAP, Oracle ERP, legacy web servers) is completely hidden from the public internet.
git clone https://github.com/osmankaankars/Zero-Trust-Gateway.git
cd Zero-Trust-Gateway
pip install -r requirements.txtThe gateway listens on Port 9000 and proxies traffic to http://localhost:8080 (configurable in config.json).
python gateway.pyUse the included lightweight IDP simulator to generate signed JWTs.
python idp_simulator.py --role adminUse the token to reach the upstream system:
curl -H "Authorization: Bearer <TOKEN>" http://localhost:9000/If the token is valid and the policy allows access, the request is proxied upstream.
Otherwise, the gateway returns a 403 Access Denied response.
Osman Kaan Kars
Cybersecurity Engineer | Systems Architect