#google-cloud #jwt #google #jwk #iap

iap-jwt

Validate and decode Google Cloud Identity-Aware Proxy (IAP) JWTs

1 unstable release

0.1.0 Aug 9, 2024

#451 in Authentication

MIT/Apache

31KB
686 lines

IAP JWT

GitHub MIT/Apache 2.0 Crates.io docs.rs

Validate and decode Google Cloud Identity-Aware Proxy (IAP) JWTs

Features

  • Validate and decode JWTs issued by Google IAP https://cloud.google.com/iap/docs/signed-headers-howto
  • Verify JWT signature using public keys from Google retrieved from the JWKS endpoint
  • Validate standard claims like exp, iat, aud, iss
  • Validate Google-specific claims like hd (hosted domain) and access levels
  • Injectable public key retrieval and caching for testability
  • Customizable validation options

Usage

cargo add iap-jwt
use iap_jwt::{ValidationConfig};

let token = "..."; // JWT token from IAP

// reqwest Client implements iap_jwt::PublicKeySource with `reqwest` feature enabled (enabled by default)
let client = reqwest::Client::new();

let config = ValidationConfig::new(["/projects/1234567890/global/backendServices/test-service-id"])
    .with_google_hosted_domain(["example.com"])
    .with_access_levels(["ADMIN"]);

let claims = config.decode_and_validate(token, &client).await?;

println!("Authenticated user: {}", claims.sub);

License

This project is licensed under either of the following licenses, at your option:

  • Apache-2.0
  • MIT

Dependencies

~4–16MB
~226K SLoC