278 lines
11 KiB
HTML
278 lines
11 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="UTF-8">
|
|
<!--[if IE]><meta http-equiv="X-UA-Compatible" content="IE=edge"><![endif]-->
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
<meta name="generator" content="Asciidoctor 1.5.7.1">
|
|
<title>Cloud Identity-Aware Proxy (IAP) Authentication</title>
|
|
<link rel="stylesheet" href="css/spring.css">
|
|
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
|
|
|
|
<style>
|
|
.hidden {
|
|
display: none;
|
|
}
|
|
|
|
.switch {
|
|
border-width: 1px 1px 0 1px;
|
|
border-style: solid;
|
|
border-color: #7a2518;
|
|
display: inline-block;
|
|
}
|
|
|
|
.switch--item {
|
|
padding: 10px;
|
|
background-color: #ffffff;
|
|
color: #7a2518;
|
|
display: inline-block;
|
|
cursor: pointer;
|
|
}
|
|
|
|
.switch--item:not(:first-child) {
|
|
border-width: 0 0 0 1px;
|
|
border-style: solid;
|
|
border-color: #7a2518;
|
|
}
|
|
|
|
.switch--item.selected {
|
|
background-color: #7a2519;
|
|
color: #ffffff;
|
|
}
|
|
</style>
|
|
<script src="https://cdnjs.cloudflare.com/ajax/libs/zepto/1.2.0/zepto.min.js"></script>
|
|
<script type="text/javascript">
|
|
function addBlockSwitches() {
|
|
$('.primary').each(function() {
|
|
primary = $(this);
|
|
createSwitchItem(primary, createBlockSwitch(primary)).item.addClass("selected");
|
|
primary.children('.title').remove();
|
|
});
|
|
$('.secondary').each(function(idx, node) {
|
|
secondary = $(node);
|
|
primary = findPrimary(secondary);
|
|
switchItem = createSwitchItem(secondary, primary.children('.switch'));
|
|
switchItem.content.addClass('hidden');
|
|
findPrimary(secondary).append(switchItem.content);
|
|
secondary.remove();
|
|
});
|
|
}
|
|
|
|
function createBlockSwitch(primary) {
|
|
blockSwitch = $('<div class="switch"></div>');
|
|
primary.prepend(blockSwitch);
|
|
return blockSwitch;
|
|
}
|
|
|
|
function findPrimary(secondary) {
|
|
candidate = secondary.prev();
|
|
while (!candidate.is('.primary')) {
|
|
candidate = candidate.prev();
|
|
}
|
|
return candidate;
|
|
}
|
|
|
|
function createSwitchItem(block, blockSwitch) {
|
|
blockName = block.children('.title').text();
|
|
content = block.children('.content').first().append(block.next('.colist'));
|
|
item = $('<div class="switch--item">' + blockName + '</div>');
|
|
item.on('click', '', content, function(e) {
|
|
$(this).addClass('selected');
|
|
$(this).siblings().removeClass('selected');
|
|
e.data.siblings('.content').addClass('hidden');
|
|
e.data.removeClass('hidden');
|
|
});
|
|
blockSwitch.append(item);
|
|
return {'item': item, 'content': content};
|
|
}
|
|
|
|
$(addBlockSwitches);
|
|
</script>
|
|
|
|
</head>
|
|
<body class="book toc2 toc-left">
|
|
<div id="header">
|
|
<div id="toc" class="toc2">
|
|
<div id="toctitle">Table of Contents</div>
|
|
<ul class="sectlevel1">
|
|
<li><a href="#_cloud_identity_aware_proxy_iap_authentication">Cloud Identity-Aware Proxy (IAP) Authentication</a>
|
|
<ul class="sectlevel2">
|
|
<li><a href="#_configuration">Configuration</a></li>
|
|
<li><a href="#_sample">Sample</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<div id="content">
|
|
<div class="sect1">
|
|
<h2 id="_cloud_identity_aware_proxy_iap_authentication"><a class="link" href="#_cloud_identity_aware_proxy_iap_authentication">Cloud Identity-Aware Proxy (IAP) Authentication</a></h2>
|
|
<div class="sectionbody">
|
|
<div class="paragraph">
|
|
<p><a href="https://cloud.google.com/iap/">Cloud Identity-Aware Proxy (IAP)</a> provides a security layer over applications deployed to Google Cloud.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The IAP starter uses <a href="https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2resourceserver">Spring Security OAuth 2.0 Resource Server</a> functionality to automatically extract user identity from the proxy-injected <code>x-goog-iap-jwt-assertion</code> HTTP header.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The following claims are validated automatically:</p>
|
|
</div>
|
|
<div class="ulist">
|
|
<ul>
|
|
<li>
|
|
<p>Issue time</p>
|
|
</li>
|
|
<li>
|
|
<p>Expiration time</p>
|
|
</li>
|
|
<li>
|
|
<p>Issuer</p>
|
|
</li>
|
|
<li>
|
|
<p>Audience</p>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The <em>audience</em> (<code>"aud"</code> claim) validation string is automatically determined when the application is running on App Engine Standard or App Engine Flexible.
|
|
This functionality relies on Cloud Resource Manager API to retrieve project details, so the following setup is needed:</p>
|
|
</div>
|
|
<div class="ulist">
|
|
<ul>
|
|
<li>
|
|
<p>Enable Cloud Resource Manager API in <a href="https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com">GCP Console</a>.</p>
|
|
</li>
|
|
<li>
|
|
<p>Make sure your application has <code>resourcemanager.projects.get</code> permission.</p>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>App Engine automatic <em>audience</em> determination can be overridden by using <code>spring.cloud.gcp.security.iap.audience</code> property.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>For Compute Engine or Kubernetes Engine <code>spring.cloud.gcp.security.iap.audience</code> property <strong>must</strong> be provided, as the <em>audience</em> string depends on the specific Backend Services setup and cannot be inferred automatically.
|
|
To determine the <em>audience</em> value, follow directions in IAP <a href="https://cloud.google.com/iap/docs/signed-headers-howto#verify_the_jwt_payload">Verify the JWT payload</a> guide.
|
|
If <code>spring.cloud.gcp.security.iap.audience</code> is not provided, the application will fail to start the following message:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="highlightjs highlight"><code>No qualifying bean of type 'org.springframework.cloud.gcp.security.iap.AudienceProvider' available.</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="admonitionblock note">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<i class="fa icon-note" title="Note"></i>
|
|
</td>
|
|
<td class="content">
|
|
If you create a custom <a href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.html"><code>WebSecurityConfigurerAdapter</code></a>, enable extracting user identity by adding <code>.oauth2ResourceServer().jwt()</code> configuration to the <a href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/builders/HttpSecurity.html"><code>HttpSecurity</code></a> object.
|
|
If no custom <a href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.html"><code>WebSecurityConfigurerAdapter</code></a> is present, nothing needs to be done because Spring Boot will add this customization by default.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>Starter Maven coordinates, using <a href="getting-started.html#_bill_of_materials">Spring Cloud GCP BOM</a>:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="highlightjs highlight"><code class="language-xml hljs" data-lang="xml"><dependency>
|
|
<groupId>org.springframework.cloud</groupId>
|
|
<artifactId>spring-cloud-gcp-starter-security-iap</artifactId>
|
|
</dependency></code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>Starter Gradle coordinates:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="highlightjs highlight"><code>dependencies {
|
|
compile group: 'org.springframework.cloud', name: 'spring-cloud-gcp-starter-security-iap'
|
|
}</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="sect2">
|
|
<h3 id="_configuration"><a class="link" href="#_configuration">Configuration</a></h3>
|
|
<div class="paragraph">
|
|
<p>The following properties are available.</p>
|
|
</div>
|
|
<div class="admonitionblock caution">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<i class="fa icon-caution" title="Caution"></i>
|
|
</td>
|
|
<td class="content">
|
|
Modifying registry, algorithm, and header properties might be useful for testing, but the defaults should not be changed in production.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<table class="tableblock frame-all grid-all stretch">
|
|
<colgroup>
|
|
<col style="width: 25%;">
|
|
<col style="width: 25%;">
|
|
<col style="width: 25%;">
|
|
<col style="width: 25%;">
|
|
</colgroup>
|
|
<thead>
|
|
<tr>
|
|
<th class="tableblock halign-left valign-top">Name</th>
|
|
<th class="tableblock halign-left valign-top">Description</th>
|
|
<th class="tableblock halign-left valign-top">Required</th>
|
|
<th class="tableblock halign-left valign-top">Default</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>spring.cloud.gcp.security.iap.registry</code></p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">Link to JWK public key registry.</p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock"><code><a href="https://www.gstatic.com/iap/verify/public_key-jwk" class="bare">https://www.gstatic.com/iap/verify/public_key-jwk</a></code></p></td>
|
|
</tr>
|
|
<tr>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>spring.cloud.gcp.security.iap.algorithm</code></p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">Encryption algorithm used to sign the JWK token.</p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ES256</code></p></td>
|
|
</tr>
|
|
<tr>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>spring.cloud.gcp.security.iap.header</code></p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">Header from which to extract the JWK key.</p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>x-goog-iap-jwt-assertion</code></p></td>
|
|
</tr>
|
|
<tr>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>spring.cloud.gcp.security.iap.issuer</code></p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">JWK issuer to verify.</p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock"><code><a href="https://cloud.google.com/iap" class="bare">https://cloud.google.com/iap</a></code></p></td>
|
|
</tr>
|
|
<tr>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>spring.cloud.gcp.security.iap.audience</code></p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">Custom JWK audience to verify.</p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">false on App Engine; true on GCE/GKE</p></td>
|
|
<td class="tableblock halign-left valign-top"></td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
<div class="sect2">
|
|
<h3 id="_sample"><a class="link" href="#_sample">Sample</a></h3>
|
|
<div class="paragraph">
|
|
<p>A <a href="https://github.com/spring-cloud/spring-cloud-gcp/tree/master/spring-cloud-gcp-samples/spring-cloud-gcp-security-iap-sample">sample application</a> is available.</p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<script type="text/javascript" src="js/tocbot/tocbot.min.js"></script>
|
|
<script type="text/javascript" src="js/toc.js"></script>
|
|
<link rel="stylesheet" href="js/highlight/styles/atom-one-dark-reasonable.min.css">
|
|
<script src="js/highlight/highlight.min.js"></script>
|
|
<script>hljs.initHighlighting()</script>
|
|
</body>
|
|
</html> |