1 unstable release
0.1.0 | Aug 9, 2024 |
---|
#451 in Authentication
31KB
686 lines
IAP JWT
Validate and decode Google Cloud Identity-Aware Proxy (IAP) JWTs
Features
- Validate and decode JWTs issued by Google IAP https://cloud.google.com/iap/docs/signed-headers-howto
- Verify JWT signature using public keys from Google retrieved from the JWKS endpoint
- Validate standard claims like
exp
,iat
,aud
,iss
- Validate Google-specific claims like
hd
(hosted domain) and access levels - Injectable public key retrieval and caching for testability
- Customizable validation options
Usage
cargo add iap-jwt
use iap_jwt::{ValidationConfig};
let token = "..."; // JWT token from IAP
// reqwest Client implements iap_jwt::PublicKeySource with `reqwest` feature enabled (enabled by default)
let client = reqwest::Client::new();
let config = ValidationConfig::new(["/projects/1234567890/global/backendServices/test-service-id"])
.with_google_hosted_domain(["example.com"])
.with_access_levels(["ADMIN"]);
let claims = config.decode_and_validate(token, &client).await?;
println!("Authenticated user: {}", claims.sub);
License
This project is licensed under either of the following licenses, at your option:
- Apache-2.0
- MIT
Dependencies
~4–16MB
~226K SLoC