162. Cloud Identity-Aware Proxy (IAP) Authentication
Cloud Identity-Aware Proxy (IAP) provides a security layer over applications deployed to Google Cloud.
The IAP starter uses Spring Security OAuth 2.0 Resource Server functionality to automatically extract user identity from the proxy-injected x-goog-iap-jwt-assertion
HTTP header.
The following claims are validated automatically:
- Issue time
- Expiration time
- Issuer
- Audience
The audience ("aud"
) validation is automatically configured when the application is running on App Engine Standard or App Engine Flexible. For other runtime environments, a custom audience must be provided through spring.cloud.gcp.security.iap.audience
property. The custom property, if specified, overrides the automatic App Engine audience detection.
|
Important |
---|---|
There is no automatic audience string configuration for Compute Engine or Kubernetes Engine. To use the IAP starter on GCE/GKE, find the Audience string per instructions in the Verify the JWT payload guide, and specify it in the |
|
Note |
---|---|
If you create a custom |
Starter Maven coordinates, using Spring Cloud GCP BOM :
<dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-gcp-starter-security-iap</artifactId> </dependency>
Starter Gradle coordinates:
dependencies { compile group: 'org.springframework.cloud', name: 'spring-cloud-gcp-starter-security-iap' }
The following properties are available.
|
Caution |
---|---|
Modifying registry, algorithm, and header properties might be useful for testing, but the defaults should not be changed in production. |
Name | Description | Required | Default |
---|---|---|---|
|
Link to JWK public key registry. |
true |
|
|
Encryption algorithm used to sign the JWK token. |
true |
|
|
Header from which to extract the JWK key. |
true |
|
|
JWK issuer to verify. |
true |
|
|
Custom JWK audience to verify. |
false on App Engine; true on GCE/GKE |
A sample application is available.