13 lines
11 KiB
HTML
13 lines
11 KiB
HTML
<html><head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
|
<title>164. Cloud Identity-Aware Proxy (IAP) Authentication</title><link rel="stylesheet" type="text/css" href="css/manual-multipage.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><link rel="home" href="multi_spring-cloud.html" title="Spring Cloud"><link rel="up" href="multi_spring-cloud-gcp-reference.html" title="Part XVIII. Spring Cloud GCP"><link rel="prev" href="multi__cloud_memorystore_for_redis.html" title="163. Cloud Memorystore for Redis"><link rel="next" href="multi__google_cloud_vision.html" title="165. Google Cloud Vision"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">164. Cloud Identity-Aware Proxy (IAP) Authentication</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="multi__cloud_memorystore_for_redis.html">Prev</a> </td><th width="60%" align="center">Part XVIII. Spring Cloud GCP</th><td width="20%" align="right"> <a accesskey="n" href="multi__google_cloud_vision.html">Next</a></td></tr></table><hr></div><div class="chapter"><div class="titlepage"><div><div><h2 class="title"><a name="_cloud_identity_aware_proxy_iap_authentication" href="#_cloud_identity_aware_proxy_iap_authentication"></a>164. Cloud Identity-Aware Proxy (IAP) Authentication</h2></div></div></div><p><a class="link" href="https://cloud.google.com/iap/" target="_top">Cloud Identity-Aware Proxy (IAP)</a> provides a security layer over applications deployed to Google Cloud.</p><p>The IAP starter uses <a class="link" href="https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2resourceserver" target="_top">Spring Security OAuth 2.0 Resource Server</a> functionality to automatically extract user identity from the proxy-injected <code class="literal">x-goog-iap-jwt-assertion</code> HTTP header.</p><p>The following claims are validated automatically:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">Issue time</li><li class="listitem">Expiration time</li><li class="listitem">Issuer</li><li class="listitem">Audience</li></ul></div><p>The audience (<code class="literal">"aud"</code>) validation is automatically configured when the application is running on App Engine Standard or App Engine Flexible.
|
|
For other runtime environments, a custom audience must be provided through <code class="literal">spring.cloud.gcp.security.iap.audience</code> property.
|
|
The custom property, if specified, overrides the automatic App Engine audience detection.</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Important"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Important]" src="images/important.png"></td><th align="left">Important</th></tr><tr><td align="left" valign="top"><p>There is no automatic audience string configuration for Compute Engine or Kubernetes Engine.
|
|
To use the IAP starter on GCE/GKE, find the Audience string per instructions in the <a class="link" href="https://cloud.google.com/iap/docs/signed-headers-howto#verify_the_jwt_payload" target="_top">Verify the JWT payload</a> guide, and specify it in the <code class="literal">spring.cloud.gcp.security.iap.audience</code> property.
|
|
Otherwise, the application will fail to start with <code class="literal">No qualifying bean of type 'org.springframework.cloud.gcp.security.iap.AudienceProvider' available</code> message.</p></td></tr></table></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>If you create a custom <a class="link" href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.html" target="_top"><code class="literal">WebSecurityConfigurerAdapter</code></a>, enable extracting user identity by adding <code class="literal">.oauth2ResourceServer().jwt()</code> configuration to the <a class="link" href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/builders/HttpSecurity.html" target="_top"><code class="literal">HttpSecurity</code></a> object.
|
|
If no custom <a class="link" href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.html" target="_top"><code class="literal">WebSecurityConfigurerAdapter</code></a> is present, nothing needs to be done because Spring Boot will add this customization by default.</p></td></tr></table></div><p>Starter Maven coordinates, using <a class="link" href="https://github.com/spring-cloud/spring-cloud-gcp/blob/master/spring-cloud-gcp-dependencies/pom.xml" target="_top">Spring Cloud GCP BOM</a>:</p><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"><dependency></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"><groupId></span>org.springframework.cloud<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"></groupId></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"><artifactId></span>spring-cloud-gcp-starter-security-iap<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"></artifactId></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"></dependency></span></pre><p>Starter Gradle coordinates:</p><pre class="screen">dependencies {
|
|
compile group: 'org.springframework.cloud', name: 'spring-cloud-gcp-starter-security-iap'
|
|
}</pre><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="_configuration_8" href="#_configuration_8"></a>164.1 Configuration</h2></div></div></div><p>The following properties are available.</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Caution"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Caution]" src="images/caution.png"></td><th align="left">Caution</th></tr><tr><td align="left" valign="top"><p>Modifying registry, algorithm, and header properties might be useful for testing, but the defaults should not be changed in production.</p></td></tr></table></div><div class="informaltable"><table class="informaltable" style="border-collapse: collapse;border-top: 1px solid ; border-bottom: 1px solid ; "><colgroup><col class="col_1"><col class="col_2"><col class="col_3"><col class="col_4"></colgroup><thead><tr><th style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top">Name</th><th style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top">Description</th><th style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top">Required</th><th style="border-bottom: 1px solid ; " align="left" valign="top">Default</th></tr></thead><tbody><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p><code class="literal">spring.cloud.gcp.security.iap.registry</code></p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Link to JWK public key registry.</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>true</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p><code class="literal"><a class="link" href="https://www.gstatic.com/iap/verify/public_key-jwk" target="_top">https://www.gstatic.com/iap/verify/public_key-jwk</a></code></p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p><code class="literal">spring.cloud.gcp.security.iap.algorithm</code></p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Encryption algorithm used to sign the JWK token.</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>true</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p><code class="literal">ES256</code></p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p><code class="literal">spring.cloud.gcp.security.iap.header</code></p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Header from which to extract the JWK key.</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>true</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p><code class="literal">x-goog-iap-jwt-assertion</code></p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p><code class="literal">spring.cloud.gcp.security.iap.issuer</code></p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>JWK issuer to verify.</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>true</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p><code class="literal"><a class="link" href="https://cloud.google.com/iap" target="_top">https://cloud.google.com/iap</a></code></p></td></tr><tr><td style="border-right: 1px solid ; " align="left" valign="top"><p><code class="literal">spring.cloud.gcp.security.iap.audience</code></p></td><td style="border-right: 1px solid ; " align="left" valign="top"><p>Custom JWK audience to verify.</p></td><td style="border-right: 1px solid ; " align="left" valign="top"><p>false on App Engine; true on GCE/GKE</p></td><td style="" align="left" valign="top"> </td></tr></tbody></table></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="_sample_11" href="#_sample_11"></a>164.2 Sample</h2></div></div></div><p>A <a class="link" href="https://github.com/spring-cloud/spring-cloud-gcp/tree/master/spring-cloud-gcp-samples/spring-cloud-gcp-security-iap-sample" target="_top">sample application</a> is available.</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="multi__cloud_memorystore_for_redis.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="multi_spring-cloud-gcp-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="multi__google_cloud_vision.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">163. Cloud Memorystore for Redis </td><td width="20%" align="center"><a accesskey="h" href="multi_spring-cloud.html">Home</a></td><td width="40%" align="right" valign="top"> 165. Google Cloud Vision</td></tr></table></div></body></html> |