3 releases (breaking)
| 0.3.0 | Nov 12, 2025 |
|---|---|
| 0.2.0 | Mar 11, 2025 |
| 0.1.0 | Aug 9, 2024 |
#501 in Authentication
34KB
740 lines
IAP JWT
Validate and decode Google Cloud Identity-Aware Proxy (IAP) JWTs
Features
- Validate and decode JWTs issued by Google IAP https://cloud.google.com/iap/docs/signed-headers-howto
- Verify JWT signature using public keys from Google retrieved from the JWKS endpoint
- Validate standard claims like
exp,iat,aud,iss - Validate Google-specific claims like
hd(hosted domain) and access levels - Injectable public key retrieval and caching for testability
- Customizable validation options
Installation
cargo add iap-jwt
Two crypto backends are available via features, aws_lc_rs and rust_crypto (default), exactly one of which must be enabled.
To use aws_lc_rs instead:
cargo add iap-jwt --no-default-features --features reqwest,aws_lc_rs
Usage
use iap_jwt::{ValidationConfig};
let token = "..."; // JWT token from IAP
// reqwest Client implements iap_jwt::PublicKeySource with `reqwest` feature enabled (enabled by default)
let client = reqwest::Client::new();
let config = ValidationConfig::new(["/projects/1234567890/global/backendServices/test-service-id"])
.with_google_hosted_domain(["example.com"])
.with_access_levels(["ADMIN"]);
let claims = config.decode_and_validate(token, &client).await?;
println!("Authenticated user: {}", claims.sub);
License
This project is licensed under either of the following licenses, at your option:
- Apache-2.0
- MIT
Dependencies
~4–30MB
~496K SLoC