Name: gcp-iap-auth
Owner: NYT Newsroom Developers
Description: A simple server implementation and package in Go for helping you secure your web apps running on GCP behind a Cloud IAP (Identity-Aware Proxy)
Forked from: imkira/gcp-iap-auth
Created: 2017-09-29 17:10:46.0
Updated: 2018-05-23 02:44:44.0
Pushed: 2017-09-29 20:30:09.0
Homepage: null
Size: 85
Language: Go
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
gcp-iap-auth
is a simple server implementation and package in
Go for helping you secure your web apps running on GCP
behind a
Google Cloud Platform's IAP (Identity-Aware Proxy) by validating IAP signed headers in the requests.
Validating signed headers helps you protect your app from the following kinds of risks:
et -u github.com/imkira/gcp-iap-auth/jwt
The following is just an excerpt of the provided simple.go example:
ere we validate the tokens in all requests going to
ur server at http://127.0.0.1:12345/auth
or valid tokens we return 200, otherwise 401.
AuthHandler(w http.ResponseWriter, req *http.Request) {
if err := jwt.ValidateRequestClaims(req, cfg); err != nil {
w.WriteHeader(http.StatusUnauthorized)
} else {
w.WriteHeader(http.StatusOK)
}
For advanced usage, make sure to check the available documentation here.
Binary Releases are provided for convenience.
After downloading it, you can execute it like:
iap-auth --audiences=https://APP_DOMAIN
HTTPS is also supported. Just make sure you give it the cert/key files:
iap-auth --audiences=https://APP_DOMAIN --tls-cert=PATH_TO_CERT_FILE --tls-key=PATH_TO_KEY_FILE
It is also possible to use environment variables instead of flags.
Just prepend GCP_IAP_AUTH_
to the flag name (in CAPS and with -
replaced by _
) and you're good to go (eg: GCP_IAP_AUTH_AUDIENCES
replaces --audiences
)
For help, just check usage:
iap-auth --help
In this mode the gcp-iap-auth
server runs as a proxy in front of another web
app. The JWT header will be checked and requests with a valid header will be
passed to the backend, while all other requests will return HTTP error 401.
iap-auth --audiences=https://APP_DOMAIN --backend=http://localhost:8080
In proxy mode you may optionally specify a header that will be filled with the
validated email address from the JWT token. The value will only contain the
email address, eg: name@dom.tld
, unlike the x-goog-authenticated-user-email
header this does not contain a namespace prefix, making this approach suitable
for backend apps which only want an email address.
iap-auth --audiences=https://APP_DOMAIN --backend=http://localhost:8080 --email-header=X-WEBAUTH-USER
You can also integrate gcp-iap-auth
server with NGINX
using the
http_auth_request_module.
The important part is as follows (full nginx.conf example file here):
upstream AUTH_SERVER_UPSTREAM {
server AUTH_SERVER_ADDR:AUTH_SERVER_PORT;
}
upstream APP_SERVER_UPSTREAM {
server APP_SERVER_ADDR:APP_SERVER_PORT;
}
server {
server_name APP_DOMAIN;
location = /gcp-iap-auth {
internal;
proxy_pass http://AUTH_SERVER_UPSTREAM/auth;
proxy_pass_request_body off;
proxy_pass_request_headers off;
proxy_set_header X-Goog-Authenticated-User-JWT $http_x_goog_authenticated_user_jwt;
}
location / {
auth_request /gcp-iap-auth;
proxy_pass http://APP_SERVER_UPSTREAM;
}
}
Please note:
AUTH_SERVER_UPSTREAM
, AUTH_SERVER_ADDR
, and AUTH_SERVER_PORT
with the data about your gcp-iap-auth
server.APP_SERVER_UPSTREAM
, APP_SERVER_ADDR
, and APP_SERVER_PORT
with the data about your own web app server.APP_DOMAIN
with the domain(s) you set up in your GCP IAP settings.gcp-iap-auth
only needs to receive the original X-Goog-Authenticated-User-JWT
header sent by Google, so you can and you are advised to disable proxying the original request body and other headers. Not only it is unecessary you may leak information you may not want to.Docker images are provided for convenience.
er run --rm -e GCP_IAP_AUTH_AUDIENCES=https://yourdomain imkira/gcp-iap-auth
For advanced usage, please read the instructions inside.
A simple way to use it with kubernetes and without any other dependencies is to run it as a reverse proxy that validates and forwards requests to a backend server.
- name: gcp-iap-auth
image: imkira/gcp-iap-auth:0.0.3
env:
- name: GCP_IAP_AUTH_AUDIENCES
value: "https://YOUR_DOMAIN1,https://YOUR_DOMAIN2"
- name: GCP_IAP_AUTH_LISTEN_PORT
value: "1080"
- name: GCP_IAP_BACKEND
value: "http://YOUR_BACKEND_SERVER"
ports:
- name: proxy
containerPort: 1080
readinessProbe:
httpGet:
path: /healthz
scheme: HTTP
port: proxy
periodSeconds: 1
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 10
livenessProbe:
httpGet:
path: /healthz
scheme: HTTP
port: proxy
timeoutSeconds: 5
initialDelaySeconds: 10
You can use it with kubernetes in different ways, but I personally recommend running it as a sidecar container by adding it to, say, an existing NGINX container:
- name: nginx
# your nginx container should go here...
- name: gcp-iap-auth
image: imkira/gcp-iap-auth:0.0.3
env:
- name: GCP_IAP_AUTH_AUDIENCES
value: "https://YOUR_DOMAIN1,https://YOUR_DOMAIN2"
- name: GCP_IAP_AUTH_LISTEN_PORT
value: "1080"
ports:
- name: auth
containerPort: 1080
readinessProbe:
httpGet:
path: /healthz
scheme: HTTP
port: auth
periodSeconds: 1
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 10
livenessProbe:
httpGet:
path: /healthz
scheme: HTTP
port: auth
timeoutSeconds: 5
initialDelaySeconds: 10
To use HTTPS just make sure:
GCP_IAP_AUTH_TLS_CERT=/path/to/tls_cert_file
and GCP_IAP_AUTH_TLS_KEY=/path/to/tls_key_file
environment variables.HTTPS
.gcp-iap-auth is licensed under the MIT license:
www.opensource.org/licenses/MIT
Copyright (c) 2017 Mario Freitas. See LICENSE for further details.