gcp-iap-auth is a simple server implementation and package in
Go for helping you secure your web apps running on GCP
behind a
Google Cloud Platform's IAP (Identity-Aware Proxy) by validating IAP signed headers in the requests.
Validating signed headers helps you protect your app from the following kinds of risks:
- IAP is accidentally disabled;
- Misconfigured firewalls;
- Access from within the project.
go get -u github.com/imkira/gcp-iap-auth/jwtThe following is just an excerpt of the provided simple.go example:
// Here we validate the tokens in all requests going to
// our server at http://127.0.0.1:12345/auth
// For valid tokens we return 200, otherwise 401.
func AuthHandler(w http.ResponseWriter, req *http.Request) {
if err := jwt.ValidateRequestClaims(req, cfg); err != nil {
w.WriteHeader(http.StatusUnauthorized)
} else {
w.WriteHeader(http.StatusOK)
}
}For advanced usage, make sure to check the available documentation here.
Binary Releases are provided for convenience.
After downloading it, you can execute it like:
gcp-iap-auth --audiences=https://APP_DOMAINHTTPS is also supported. Just make sure you give it the cert/key files:
gcp-iap-auth --audiences=https://APP_DOMAIN --tls-cert=PATH_TO_CERT_FILE --tls-key=PATH_TO_KEY_FILEIt is also possible to use environment variables instead of flags.
Just prepend GCP_IAP_AUTH_ to the flag name (in CAPS and with - replaced by _) and you're good to go (eg: GCP_IAP_AUTH_AUDIENCES replaces --audiences)
For help, just check usage:
gcp-iap-auth --helpYou can also integrate gcp-iap-auth server with NGINX
using the
http_auth_request_module.
The important part is as follows (full nginx.conf example file here):
upstream AUTH_SERVER_UPSTREAM {
server AUTH_SERVER_ADDR:AUTH_SERVER_PORT;
}
server {
server_name _;
location = /auth {
internal;
proxy_pass http://AUTH_SERVER_UPSTREAM;
proxy_pass_request_body off;
proxy_pass_request_headers off;
proxy_set_header X-Goog-Authenticated-User-JWT $http_x_goog_authenticated_user_jwt;
}
}
upstream APP_SERVER_UPSTREAM {
server APP_SERVER_ADDR:APP_SERVER_PORT;
}
server {
server_name APP_DOMAIN;
auth_request /auth;
location / {
proxy_pass http://APP_SERVER_UPSTREAM;
}
}
Please note:
- Replace
AUTH_SERVER_UPSTREAM,AUTH_SERVER_ADDR, andAUTH_SERVER_PORTwith the data about yourgcp-iap-authserver. - Replace
APP_SERVER_UPSTREAM,APP_SERVER_ADDR, andAPP_SERVER_PORTwith the data about your own web app server. - Replace
APP_DOMAINwith the domain(s) you set up in your GCP IAP settings. gcp-iap-authonly needs to receive the originalX-Goog-Authenticated-User-JWTheader sent by Google, so you can and you are advised to disable proxying the original request body and other headers. Not only it is unecessary you may leak information you may not want to.- Please adjust appropriately (you may want to use HTTPS instead of HTTP, multiple domains, etc.). This example is just provided for reference.
gcp-iap-auth is licensed under the MIT license:
www.opensource.org/licenses/MIT
Copyright (c) 2017 Mario Freitas. See LICENSE for further details.