162. Cloud Identity-Aware Proxy (IAP) Authentication

Cloud Identity-Aware Proxy (IAP) provides a security layer over applications deployed to Google Cloud.

The IAP starter uses Spring Security OAuth 2.0 Resource Server functionality to automatically extract user identity from the proxy-injected x-goog-iap-jwt-assertion HTTP header.

The following claims are validated automatically:

Issue time
Expiration time
Issuer
Audience

The audience ("aud") validation is automatically configured when the application is running on App Engine Standard or App Engine Flexible. For other runtime environments, a custom audience must be provided through spring.cloud.gcp.security.iap.audience property. The custom property, if specified, overrides the automatic App Engine audience detection.

Important

	Important
There is no automatic audience string configuration for Compute Engine or Kubernetes Engine. To use the IAP starter on GCE/GKE, find the Audience string per instructions in the Verify the JWT payload guide, and specify it in the `spring.cloud.gcp.security.iap.audience` property. Otherwise, the application will fail to start with `No qualifying bean of type 'org.springframework.cloud.gcp.security.iap.AudienceProvider' available` message.

There is no automatic audience string configuration for Compute Engine or Kubernetes Engine. To use the IAP starter on GCE/GKE, find the Audience string per instructions in the Verify the JWT payload guide, and specify it in the spring.cloud.gcp.security.iap.audience property. Otherwise, the application will fail to start with No qualifying bean of type 'org.springframework.cloud.gcp.security.iap.AudienceProvider' available message.

	Note
	If you create a custom `WebSecurityConfigurerAdapter` , enable extracting user identity by adding `.oauth2ResourceServer().jwt()` configuration to the `HttpSecurity` object. If no custom `WebSecurityConfigurerAdapter` is present, nothing needs to be done because Spring Boot will add this customization by default.

Starter Maven coordinates, using Spring Cloud GCP BOM :

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-gcp-starter-security-iap</artifactId>
</dependency>

Starter Gradle coordinates:

dependencies {
    compile group: 'org.springframework.cloud', name: 'spring-cloud-gcp-starter-security-iap'
}

162.1 Configuration

The following properties are available.

	Caution
	Modifying registry, algorithm, and header properties might be useful for testing, but the defaults should not be changed in production.

Name	Description	Required	Default
`spring.cloud.gcp.security.iap.registry`	Link to JWK public key registry.	true	`https://www.gstatic.com/iap/verify/public_key-jwk`
`spring.cloud.gcp.security.iap.algorithm`	Encryption algorithm used to sign the JWK token.	true	`ES256`
`spring.cloud.gcp.security.iap.header`	Header from which to extract the JWK key.	true	`x-goog-iap-jwt-assertion`
`spring.cloud.gcp.security.iap.issuer`	JWK issuer to verify.	true	`https://cloud.google.com/iap`
`spring.cloud.gcp.security.iap.audience`	Custom JWK audience to verify.	false on App Engine; true on GCE/GKE

162.2 Sample

A sample application is available.

Docs

Docs4dev

Title here

162. Cloud Identity-Aware Proxy (IAP) Authentication

162.1 Configuration

162.2 Sample