MCPcopy Index your code
hub / github.com/The-OAG-Development-Project/Application-Gateway

github.com/The-OAG-Development-Project/Application-Gateway @v0.7.2

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.7.2 ↗ · + Follow
873 symbols 2,335 edges 188 files 624 documented · 71% updated 4mo agov0.7.2 · 2025-12-30★ 8710 open issues
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

OWASP Application Gateway

OWASP Incubator License GitHub release (latest by date including pre-releases) CI/CD

🏗️ OWASP Application Gateway is work-in-progress. No productive version has been released yet.

OWASP Application Gateway is an HTTP reverse proxy that sits between your web application and the client and handles Oauth2 login and session management. For you, as a developer, OWASP Application Gateway removes the hassle to implement complicated oauth2 logic in the backend and frontend so you can focus totally on your applications logic.

Overview Picture

Table of Contents

Design Principles

Secure by default

Implementing secure logins and session management became much more complicated within the last few years. OWASP Application Gateway aims to make this easier. Also, it implements many security hardening measures out of the box.

Stateless

Wherever possible, OWASP Application Gateway is stateless. All session information is stored within encrypted cookies on the clients. Stateless session management makes it a lot easier to deploy OWASP Application Gateway on multiple nodes.

Configuration based

OWASP Application Gateway's behavior is controlled with a central configuration file describing all routes and Oauth2 integrations. This makes it easier to review the configuration for security issues and to debug on different environments. The deployment and scaling are straightforward; configure the config file's file path, and that's all you need to do.

Configuration File

OWASP Application Gateway is fully configured with a simple and easy to understand configuration file. Details are documented in the GitHub doc.

hostUri: https://example.com

routes:
  httpbin:
    type: webapplication
    path: /**
    url: https://httpbin.org
    allowAnonymous: yes
  echo:
    type: webapplication
    path: /echo/**
    url: https://nellydemoapp.azurewebsites.net
    allowAnonymous: no

loginProviders:
  google:
    type: oidc
    with:
      authEndpoint: https://accounts.google.com/o/oauth2/auth
      tokenEndpoint: https://oauth2.googleapis.com/token
      clientId: 372143946338-48et57uhmcumku7am3ocvva0idc7u0td.apps.googleusercontent.com
      clientSecret: env:GOOGLE_CLIENT_SECRET
      scopes: [ "openid", "email" ]

  github:
    type: github
    with:
      authEndpoint: https://github.com/login/oauth/authorize
      tokenEndpoint: https://github.com/login/oauth/access_token
      clientId: 163ad3b08c3829216ba1
      clientSecret: env:GITHUB_CLIENT_SECRET
      scopes: [ "user", "email" ]

securityProfiles:
  webapplication:
    responseHeaders:
      Server: <<remove>>
      X-Powered-By: <<remove>>
      X-XSS-Protection: 1;mode=block;
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      Referrer-Policy: strict-origin-when-cross-origin
      Content-Security-Policy: base-uri 'self';object-src 'self'
      Permissions-Policy: geolocation=(),notifications=(),push=(),microphone=(),camera=(),speaker=(),vibrate=(),fullscreen=(),payment=(),usb=(),magnetometer=(),gyroscope=(),accelerometer=()
      Strict-Transport-Security: max-age=31536000; includeSubDomains


traceProfile:
  forwardIncomingTrace: true
  maxLengthIncomingTrace: 254
  acceptAdditionalTraceInfo: false
  maxLengthAdditionalTraceInfo: 254
  sendTraceResponse: true
  type: w3cTraceContext

How to run

You have three options on how to run OWASP Application Gateway: * There is an official docker image that just works out of the box. You need to mount the config file via docker volumes. * If you don't want to use docker, you can also download the released jar file. * Of course you can also build OWASP Application Gateway by yourself with Maven. Note, that in all cases this starts the OAG with a self-signed certificate (This means you will get warnings in your browser when connecting.) It is recommended you change the certificate according to: Configure TLS.

Docker Release

You can find the Docker image at Docker Hub.

Download and Start:

# Download image of oag
docker pull owasp/application-gateway:main-SNAPSHOT

# Download sample config and adapt it to your needs
curl https://raw.githubusercontent.com/The-OAG-Development-Project/Application-Gateway/refs/heads/main/oag/sample-config.yaml >> oag-config.yaml
vim oag-config.yaml

# Start the container
docker run -e OAG_CONFIG_PATH=/app/oag-config.yaml -v ${PWD}/oag-config.yaml:/app/oag-config.yaml owasp/application-gateway:main-SNAPSHOT

Jar release

Point your browser to https://github.com/The-OAG-Development-Project/Application-Gateway/releases/latest Download the oag*.zip from the Assets section.

unzip oag*.zip
cd build/app
java -jar oag.jar

Compile it Yourself

The easiest way is to use Docker to build OWASP Application Gateway.

git clone https://github.com/The-OAG-Development-Project/Application-Gateway.git
cd Application-Gateway
docker build -t owasp/application-gateway:SNAPSHOT .
docker run -p 8080:8080 owasp/application-gateway:SNAPSHOT

If you don't want to use Docker you can build the jar by yourself with Maven:

git clone https://github.com/The-OAG-Development-Project/Application-Gateway.git
cd Application-Gateway
cd oag
mvn package -DskipTests
java -jar target/oag-exec.jar

You may also use your IDE for building OAG. Please see Setup OAG for development for instructions using IntelliJ as an example.

Functionality

  • [x] TLS endpoint
  • [x] OpenID Connect Login with multiple providers
  • [x] Multiple Backend routes
  • [x] Authenticated routes
  • [x] Request Logging
  • [x] Add and remove response headers
  • [x] Secure, HTTP-only and same-site session cookies
  • [x] Forward id token to backend
  • [x] Upstream authentication with API key
  • [x] GitHub Login support
  • [x] Method whitelisting
  • [x] CSRF protection
  • [x] Rolling sessions
  • [x] W3C compliant request tracing

Ideas:

  • [ ] Header whitelisting
  • [ ] Report URI Endpoint
  • [ ] Default configuration
  • [ ] ...

Mascot

Picture of cute elephant holding OAG banner.

Extension points exported contracts — how you extend this code

TraceContext (Interface)
Represents trace implementations (i.e. correlationID implementations) to simlify log correlation and auditing/tracing wh [6 …
oag/src/main/java/org/owasp/oag/logging/TraceContext.java
CsrfProtectionValidation (Interface)
Interface for CSRF (Cross-Site Request Forgery) protection validation. Implementations of this interface provide differe [7 …
oag/src/main/java/org/owasp/oag/services/csrf/CsrfProtectionValidation.java
JwtSignerFactory (Interface)
Factory class for jwt singer objects. [6 implementers]
oag/src/main/java/org/owasp/oag/services/crypto/jwt/JwtSignerFactory.java
UserMapper (Interface)
This is an interface for the such called user mapper. A user mapper is responsible for adding the user information to th [6 …
oag/src/main/java/org/owasp/oag/services/tokenMapping/UserMapper.java
SessionHook (Interface)
Interface for session-related hook operations. Session hooks are called during session lifecycle events such as creation [6 …
oag/src/main/java/org/owasp/oag/hooks/session/SessionHook.java

Core symbols most depended-on inside this repo

get
called by 96
oag/src/main/java/org/owasp/oag/infrastructure/factories/LoginDriverFactory.java
build
called by 29
oag/src/main/java/org/owasp/oag/config/configuration/PathRewriteConfig.java
toString
called by 26
oag/src/main/java/org/owasp/oag/logging/w3ctrace/W3cTraceContextState.java
equals
called by 25
oag/src/main/java/org/owasp/oag/session/UserModel.java
contextual
called by 20
oag/src/main/java/org/owasp/oag/utils/LoggingUtils.java
set
called by 16
oag/src/main/java/org/owasp/oag/session/UserModel.java
getKeyManagementProfile
called by 15
oag/src/main/java/org/owasp/oag/config/configuration/MainConfig.java
logTrace
called by 14
oag/src/main/java/org/owasp/oag/utils/LoggingUtils.java

Shape

Method 674
Class 178
Interface 20
Enum 1

Languages

Java100%

Modules by API surface

oag/src/main/java/org/owasp/oag/config/configuration/MainConfig.java22 symbols
oag/src/main/java/org/owasp/oag/config/configuration/TraceProfile.java17 symbols
oag/src/main/java/org/owasp/oag/config/configuration/GatewayRoute.java15 symbols
oag/src/main/java/org/owasp/oag/services/login/drivers/oauth/Oauth2Driver.java14 symbols
oag/src/main/java/org/owasp/oag/logging/simpleTrace/SimpleTraceContext.java14 symbols
oag/src/main/java/org/owasp/oag/controllers/LoginController.java14 symbols
oag/src/main/java/org/owasp/oag/services/keymgm/LocalRsaJwkStore.java13 symbols
oag/src/main/java/org/owasp/oag/logging/w3ctrace/W3cTraceContext.java13 symbols
oag/src/main/java/org/owasp/oag/logging/TraceContext.java13 symbols
oag/src/main/java/org/owasp/oag/logging/NoTraceContext.java13 symbols
oag/src/main/java/org/owasp/oag/config/configuration/SessionBehaviour.java13 symbols
oag/src/main/java/org/owasp/oag/cookies/LoginCookie.java12 symbols

For agents

$ claude mcp add Application-Gateway \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact