DEV Community: Prasoon Sharma The latest articles on DEV Community by Prasoon Sharma (@parthtiw710). https://dev.to/parthtiw710 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3993618%2Ff88daaa4-404f-4299-af7a-c3a05869f6a2.png DEV Community: Prasoon Sharma https://dev.to/parthtiw710 en Introducing EAP: The Production-Ready Zero-Config Auth Proxy with Cloud IAM & Rate Limiting Prasoon Sharma Sat, 20 Jun 2026 06:35:07 +0000 https://dev.to/parthtiw710/introducing-eap-the-production-ready-zero-config-auth-proxy-with-cloud-iam-rate-limiting-1l1b https://dev.to/parthtiw710/introducing-eap-the-production-ready-zero-config-auth-proxy-with-cloud-iam-rate-limiting-1l1b <p>Securing web endpoints and service-to-service communication is notoriously complex. You often find yourself wrapping services with complex setups like <code>oauth2-proxy</code>, writing custom token exchangers, or writing redundant authentication logic across different service repositories.</p> <p>To solve this, I built <strong>EAP</strong>—a lightweight, zero-config authentication proxy designed to handle modern, multi-cloud enterprise authentication out of the box.</p> <p>With EAP, you can secure any backend service without writing a single line of auth code. Just run the Docker container, specify your environment variables, and get robust Google OAuth (U2S), JWT verification (S2S), Cloud Identity integration, and built-in rate limiting immediately.</p> <h2> 💡 Key Features of EAP </h2> <ul> <li> <strong>🔒 Double Authentication Modes:</strong> <ul> <li> <strong>User-to-Server (U2S):</strong> Secure browser access using <strong>Google OAuth</strong>.</li> <li> <strong>Server-to-Server (S2S):</strong> Validate server calls via <strong>JWT</strong> with custom key signature support (RSA).</li> </ul> </li> <li> <strong>👥 Domain &amp; Email Whitelisting:</strong> Restrict user login access to specific domains or specific emails via <code>ALLOWED_EMAILS</code>.</li> <li> <strong>☁️ Native Cloud Provider Integrations:</strong> Built-in hooks for cloud-specific authentication patterns: <ul> <li> <strong>GCP</strong> (<code>GCP_ONLY</code>)</li> <li> <strong>AWS Cognito</strong> (<code>AWS_ONLY</code>, token exchange configs)</li> <li> <strong>Azure AD</strong> (<code>AZURE_ONLY</code>, target resource mapping)</li> <li> <strong>Kubernetes</strong> (<code>KUBERNETES_ONLY</code>)</li> </ul> </li> <li> <strong>⚡ Built-in Rate Limiting:</strong> Prevent DDoS attacks and abuse with fine-grained rate limiting for both standard users and server-to-server connections.</li> </ul> <h2> 🚀 Quick Start (Get running in 1 minute) </h2> <p>Deploying EAP is as simple as running a single command. </p> <p>Here is the complete configuration to launch EAP in front of your upstream backend:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">-p</span> 8080:8080 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">PORT</span><span class="o">=</span>8080 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">TARGET_URL</span><span class="o">=</span><span class="s2">"https://your-backend-service.com"</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">JWT_SECRET</span><span class="o">=</span><span class="s2">"your-jwt-signing-secret-key"</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">GOOGLE_CLIENT_ID</span><span class="o">=</span><span class="s2">"your-google-client-id"</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">GOOGLE_CLIENT_SECRET</span><span class="o">=</span><span class="s2">"your-google-client-secret"</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">GOOGLE_REDIRECT_URL</span><span class="o">=</span><span class="s2">"https://your-domain.com/auth/callback"</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">ALLOWED_EMAILS</span><span class="o">=</span><span class="s2">"user@gmail.com,@yourcompany.com"</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">RSA_PRIVATE_KEY</span><span class="o">=</span><span class="s2">"-----BEGIN RSA PRIVATE KEY-----</span><span class="se">\n</span><span class="s2">...</span><span class="se">\n</span><span class="s2">-----END RSA PRIVATE KEY-----"</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">GCP_ONLY</span><span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">AWS_ONLY</span><span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">AWS_COGNITO_TOKEN_URL</span><span class="o">=</span><span class="s2">"https://your-cognito-domain.auth.us-east-1.amazoncognito.com/oauth2/token"</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">AWS_CLIENT_ID</span><span class="o">=</span><span class="s2">"your-cognito-client-id"</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">AWS_CLIENT_SECRET</span><span class="o">=</span><span class="s2">"your-cognito-client-secret"</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">AZURE_ONLY</span><span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">AZURE_TARGET_RESOURCE</span><span class="o">=</span><span class="s2">"https://database.windows.net/"</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">KUBERNETES_ONLY</span><span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">RATE_LIMIT_PER_SEC</span><span class="o">=</span>3.0 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">RATE_BURST</span><span class="o">=</span>5.0 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">S2S_RATE_LIMIT_PER_SEC</span><span class="o">=</span>30.0 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">S2S_RATE_BURST</span><span class="o">=</span>100.0 <span class="se">\</span> parth14854tiwari/eap:latest </code></pre> </div> <h2> 🔍 How it Works Under the Hood </h2> <p>EAP acts as a reverse proxy sitting directly in front of your target API (<code>TARGET_URL</code>). </p> <ol> <li> <strong>User Visits Service:</strong> If a user visits the URL via a browser, EAP checks for authentication. If unauthenticated, it initiates a Google OAuth flow. Upon successful authentication, it verifies their email against <code>ALLOWED_EMAILS</code>.</li> <li> <strong>Service-to-Service Requests:</strong> When another backend calls your API, EAP intercepts the call, validates the JWT Bearer token using the <code>JWT_SECRET</code> (or <code>RSA_PRIVATE_KEY</code> if configured), and enforces rate-limiting boundaries.</li> <li> <strong>Upstream Forwarding:</strong> Validated requests are passed through cleanly to <code>TARGET_URL</code>.</li> </ol> <h2> 🤝 Open Source &amp; Contributing </h2> <p>EAP is open-source and ready for production testing. We would love to hear your feedback, issues, and feature requests.</p> <p>If you find EAP useful, please:</p> <ul> <li> <strong>Star the repository 🌟</strong> on <a href="https://github.com/Parthtiw710/eap" rel="noopener noreferrer">GitHub</a>.</li> <li> <strong>Open issues</strong> for bugs, features, or ideas.</li> <li> <strong>Submit PRs</strong> to help us add support for additional OAuth providers (like GitHub or GitLab)!</li> </ul> opensource security go docker