Secure proxy for any service with authentication, authorization, and audit logging.
Port Authorizing acts as a transparent proxy between clients and backend services (PostgreSQL, HTTP, TCP, etc.), providing centralized authentication, role-based authorization, protocol-specific filtering, and comprehensive audit logging.
port-authorizing- Main API serverport-authorizing-cli- CLI client for connecting through proxiesmock-approval-server- Testing tool for approval workflows (seetools/mock-approval-server/)
- π Multi-Provider Authentication - Local users, OIDC (Keycloak), LDAP, SAML2
- π‘οΈ Role-Based Access Control - Tag-based policies with different access per role
- π Protocol-Specific Filtering - SQL query whitelisting for PostgreSQL, request filtering for HTTP
- π Credential Hiding - Users never see backend credentials
- π Transparent Proxying - Works with standard clients (psql, curl, etc.)
- β±οΈ Time-Limited Access - Connections expire automatically
- π Full Audit Logging - All actions logged with user attribution
- β¨ Resilient Startup - Server starts even if auth providers (OIDC/LDAP/SAML2) are temporarily unavailable
| Protocol | Status | Features | Notes |
|---|---|---|---|
| PostgreSQL | β Mature | Authentication, query whitelisting, audit logging | Fully protocol-aware with username validation |
| HTTP/HTTPS | β Mature | Transparent proxying, authentication, audit logging | Full request/response handling |
| TCP | π§ Beta | Basic proxying, authentication | Limited protocol awareness, suitable for simple services |
Using install script (recommended):
curl -fsSL https://raw.githubusercontent.com/davidcohan/port-authorizing/main/scripts/install.sh | bashManual download:
# Download from GitHub releases
wget https://github.com/cohandv/port-authorizing/releases/latest/download/port-authorizing-linux-amd64
chmod +x port-authorizing-linux-amd64
sudo mv port-authorizing-linux-amd64 /usr/local/bin/port-authorizingUsing Docker:
docker pull cohandv/port-authorizing:latestBuild from source:
git clone https://github.com/cohandv/port-authorizing.git
cd port-authorizing
make build# Start server
port-authorizing server --config config.yaml
# Login (opens browser for OIDC)
port-authorizing login
# List available connections
port-authorizing list
# Connect to service (PostgreSQL example)
port-authorizing connect postgres-prod -l 5433
# Use standard client
psql -h localhost -p 5433 -U your-username -d database
# Or connect to HTTP service
port-authorizing connect api-server -l 8080
curl http://localhost:8080/api/usersβββββββββββ ββββββββββββββββ ββββββββββββ
β Client ββββββββββΆβ Port Auth ββββββββββΆβ Backend β
β (psql) β β Proxy β β Postgres β
βββββββββββ ββββββββββββββββ ββββββββββββ
β
ββ JWT Authentication
ββ Role Authorization
ββ Query Validation
ββ Audit Logging
server:
port: 8080
auth:
providers:
- name: keycloak
type: oidc
enabled: true
config:
issuer: "https://keycloak.example.com/realms/myapp"
client_id: "port-authorizing"
roles_claim: "roles"
connections:
- name: postgres-prod
type: postgres
host: prod-db.internal
port: 5432
tags:
- env:production
backend_username: "app_user"
backend_password: "${DB_PASSWORD}"
policies:
- name: developer-readonly
roles:
- developer
tags:
- env:production
whitelist:
- "^SELECT.*"
- "^EXPLAIN.*"π Full Documentation
Give developers temporary SELECT-only access to production databases without sharing credentials:
# Developer workflow
port-authorizing login # Authenticates via OIDC
port-authorizing connect postgres-prod -l 5433
psql -h localhost -p 5433 -U alice -d myapp
# Can execute: SELECT, EXPLAIN
# Cannot execute: UPDATE, DELETE, DROP
# All queries logged with usernameConnections automatically expire:
connections:
- name: postgres-prod
duration: 30m # Access expires after 30 minutesDifferent users have different access per environment:
policies:
- name: dev-full-test
roles: [developer]
tags: [env:test]
whitelist: [".*"] # Full access to test
- name: dev-readonly-prod
roles: [developer]
tags: [env:production]
whitelist: ["^SELECT.*", "^EXPLAIN.*"] # Read-only in prod# Install dependencies
make deps
# Run tests
make test
# Build for all platforms
make build-all
# Run locally
make dev# Start all services (PostgreSQL, Keycloak, LDAP)
docker-compose up -d
# Setup Keycloak
./docker/setup-keycloak.sh setup
# Stop services
docker-compose down- β No credential sharing - Backend passwords never exposed to users
- β Username enforcement - Users can only connect as themselves
- β Query validation - All queries checked against whitelist before execution
- β Audit trail - Every action logged with user identity
- β Time-bound access - Connections expire automatically
- β JWT-based auth - Cryptographically signed tokens
See Security Improvements for details.
We welcome contributions! Port Authorizing uses automatic versioning based on conventional commits.
Quick start:
# Fork and clone
git clone https://github.com/YOUR_USERNAME/port-authorizing.git
# Create feature branch
git checkout -b feat/my-feature
# Commit using conventional commits
git commit -m "feat: add awesome feature"
# Push and create PR
git push origin feat/my-featureCommit format:
feat: ...β Minor version bump (new features)fix: ...β Patch version bump (bug fixes)feat!: ...orBREAKING CHANGE:β Major version bump
See CONTRIBUTING.md for detailed guidelines.
This project uses fully automated semantic versioning:
- Every push to
maintriggers automatic version analysis - Version is determined from commit messages
- Releases are created automatically with binaries
- See docs/development/VERSIONING.md
MIT License - see LICENSE file for details.
- Documentation: docs/
- GitHub: davidcohan/port-authorizing
- Docker Hub: cohandv/port-authorizing
- Releases: GitHub Releases
- Changelog: CHANGELOG.md