Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit ca516a6

Browse filesBrowse files
matthewgJon Wayne Parrott
matthewg
authored and
Jon Wayne Parrott
committed
Update validate_jwt to use new JWT header (GoogleCloudPlatform#1019)
1 parent 33ed9d7 commit ca516a6
Copy full SHA for ca516a6

File tree

Expand file treeCollapse file tree

3 files changed

+42
-10
lines changed
Filter options
Expand file treeCollapse file tree

3 files changed

+42
-10
lines changed

‎iap/app_engine_app/iap_demo.py

Copy file name to clipboardExpand all lines: iap/app_engine_app/iap_demo.py
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@
3636
@app.route('/')
3737
def echo_jwt():
3838
return 'x-goog-authenticated-user-jwt: {}'.format(
39-
flask.request.headers.get('x-goog-authenticated-user-jwt'))
39+
flask.request.headers.get('x-goog-iap-jwt-assertion'))
4040

4141

4242
@app.route('/identity')

‎iap/iap_test.py

Copy file name to clipboardExpand all lines: iap/iap_test.py
+4-2Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,8 @@
3030
REFLECT_SERVICE_HOSTNAME = 'gcp-devrel-iap-reflect.appspot.com'
3131
IAP_CLIENT_ID = ('320431926067-ldm6839p8l2sei41nlsfc632l4d0v2u1'
3232
'.apps.googleusercontent.com')
33+
IAP_APP_ID = 'gcp-devrel-iap-reflect'
34+
IAP_PROJECT_NUMBER = '320431926067'
3335

3436

3537
@flaky
@@ -42,8 +44,8 @@ def test_main(capsys):
4244
'https://{}/'.format(REFLECT_SERVICE_HOSTNAME),
4345
IAP_CLIENT_ID)
4446
iap_jwt = iap_jwt.split(': ').pop()
45-
jwt_validation_result = validate_jwt.validate_iap_jwt(
46-
'https://{}'.format(REFLECT_SERVICE_HOSTNAME), iap_jwt)
47+
jwt_validation_result = validate_jwt.validate_iap_jwt_from_app_engine(
48+
iap_jwt, IAP_PROJECT_NUMBER, IAP_APP_ID)
4749

4850
assert jwt_validation_result[0]
4951
assert jwt_validation_result[1]

‎iap/validate_jwt.py

Copy file name to clipboardExpand all lines: iap/validate_jwt.py
+37-7Lines changed: 37 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -27,18 +27,48 @@
2727
import requests
2828

2929

30-
def validate_iap_jwt(base_url, iap_jwt):
31-
"""Validate a JWT passed to your application by Identity-Aware Proxy.
30+
def validate_iap_jwt_from_app_engine(iap_jwt, cloud_project_number,
31+
cloud_project_id):
32+
"""Validate a JWT passed to your App Engine app by Identity-Aware Proxy.
3233
3334
Args:
34-
base_url: The URL from the incoming request, minus any path, query, etc.
35-
For instance: "https://example.com:8443" or
36-
"https://example.appspot.com" .
37-
iap_jwt: The contents of the X-Goog-Authenticated-User-JWT header.
35+
iap_jwt: The contents of the X-Goog-IAP-JWT-Assertion header.
36+
cloud_project_number: The project *number* for your Google Cloud project.
37+
This is returned by 'gcloud projects describe $PROJECT_ID', or
38+
in the Project Info card in Cloud Console.
39+
cloud_project_id: The project *ID* for your Google Cloud project.
3840
3941
Returns:
4042
(user_id, user_email, error_str).
4143
"""
44+
expected_audience = '/projects/{}/apps/{}'.format(
45+
cloud_project_number, cloud_project_id)
46+
return _validate_iap_jwt(iap_jwt, expected_audience)
47+
48+
49+
def validate_iap_jwt_from_compute_engine(iap_jwt, cloud_project_number,
50+
backend_service_id):
51+
"""Validate an IAP JWT for your (Compute|Container) Engine service.
52+
53+
Args:
54+
iap_jwt: The contents of the X-Goog-IAP-JWT-Assertion header.
55+
cloud_project_number: The project *number* for your Google Cloud project.
56+
This is returned by 'gcloud projects describe $PROJECT_ID', or
57+
in the Project Info card in Cloud Console.
58+
backend_service_id: The ID of the backend service used to access the
59+
application. See
60+
https://cloud.google.com/iap/docs/signed-headers-howto
61+
for details on how to get this value.
62+
63+
Returns:
64+
(user_id, user_email, error_str).
65+
"""
66+
expected_audience = '/projects/{}/global/backendServices/{}'.format(
67+
cloud_project_number, backend_service_id)
68+
return _validate_iap_jwt(iap_jwt, expected_audience)
69+
70+
71+
def _validate_iap_jwt(iap_jwt, expected_audience):
4272
try:
4373
key_id = jwt.get_unverified_header(iap_jwt).get('kid')
4474
if not key_id:
@@ -47,7 +77,7 @@ def validate_iap_jwt(base_url, iap_jwt):
4777
decoded_jwt = jwt.decode(
4878
iap_jwt, key,
4979
algorithms=['ES256'],
50-
audience=base_url)
80+
audience=expected_audience)
5181
return (decoded_jwt['sub'], decoded_jwt['email'], '')
5282
except (jwt.exceptions.InvalidTokenError,
5383
requests.exceptions.RequestException) as e:

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.