Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit ca8442a

Browse filesBrowse files
matthewgJon Wayne Parrott
matthewg
authored and
Jon Wayne Parrott
committed
make_iap_request: Replace base URL with client ID (GoogleCloudPlatform#979)
Client ID is the preferred thing to use for the aud claim. --msachs@, IAP TLM
1 parent 2db341d commit ca8442a
Copy full SHA for ca8442a

File tree

Expand file treeCollapse file tree

2 files changed

+7
-12
lines changed
Filter options
Expand file treeCollapse file tree

2 files changed

+7
-12
lines changed

‎iap/iap_test.py

Copy file name to clipboardExpand all lines: iap/iap_test.py
+4-1Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,8 @@
2828
# The project must have the service account used by this test added as a
2929
# member of the project.
3030
REFLECT_SERVICE_HOSTNAME = 'gcp-devrel-iap-reflect.appspot.com'
31+
IAP_CLIENT_ID = ('320431926067-ldm6839p8l2sei41nlsfc632l4d0v2u1'
32+
'.apps.googleusercontent.com')
3133

3234

3335
@flaky
@@ -37,7 +39,8 @@ def test_main(capsys):
3739
# the JWT in order to expose it to this test. Thus, this test
3840
# exercises both make_iap_request and validate_jwt.
3941
iap_jwt = make_iap_request.make_iap_request(
40-
'https://{}/'.format(REFLECT_SERVICE_HOSTNAME))
42+
'https://{}/'.format(REFLECT_SERVICE_HOSTNAME),
43+
IAP_CLIENT_ID)
4144
iap_jwt = iap_jwt.split(': ').pop()
4245
jwt_validation_result = validate_jwt.validate_iap_jwt(
4346
'https://{}'.format(REFLECT_SERVICE_HOSTNAME), iap_jwt)

‎iap/make_iap_request.py

Copy file name to clipboardExpand all lines: iap/make_iap_request.py
+3-11Lines changed: 3 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -24,30 +24,22 @@
2424
import google.oauth2.service_account
2525
import requests
2626
import requests_toolbelt.adapters.appengine
27-
from six.moves import urllib_parse as urlparse
2827

2928

3029
IAM_SCOPE = 'https://www.googleapis.com/auth/iam'
3130
OAUTH_TOKEN_URI = 'https://www.googleapis.com/oauth2/v4/token'
3231

3332

34-
def make_iap_request(url):
33+
def make_iap_request(url, client_id):
3534
"""Makes a request to an application protected by Identity-Aware Proxy.
3635
3736
Args:
3837
url: The Identity-Aware Proxy-protected URL to fetch.
38+
client_id: The client ID used by Identity-Aware Proxy.
3939
4040
Returns:
4141
The page body, or raises an exception if the page couldn't be retrieved.
4242
"""
43-
# Take the input URL and remove everything except the protocol, domain,
44-
# and port. Examples:
45-
# https://foo.example.com/ => https://foo.example.com
46-
# https://example.com:8443/foo/bar?quuz=quux#lorem =>
47-
# https://example.com:8443
48-
base_url = urlparse.urlunparse(
49-
urlparse.urlparse(url)._replace(path='', query='', fragment=''))
50-
5143
# Figure out what environment we're running in and get some preliminary
5244
# information about the service account.
5345
bootstrap_credentials, _ = google.auth.default(
@@ -90,7 +82,7 @@ def make_iap_request(url):
9082
# and email acquired from the bootstrap credentials.
9183
service_account_credentials = google.oauth2.service_account.Credentials(
9284
signer, signer_email, token_uri=OAUTH_TOKEN_URI, additional_claims={
93-
'target_audience': base_url
85+
'target_audience': client_id
9486
})
9587

9688
# service_account_credentials gives us a JWT signed by the service

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.