Lib.rs

Authentication
#jwk #google-cloud #jwt #google

iap-jwt

Validate and decode Google Cloud Identity-Aware Proxy (IAP) JWTs

Owned by Ryo Hirayama.

1 unstable release

0.1.0 Aug 9, 2024

#544 in Authentication

Download history 95/week @ 2024-08-08 15/week @ 2024-08-15 1/week @ 2024-08-22 1/week @ 2024-08-29 2/week @ 2024-09-05 16/week @ 2024-09-12 17/week @ 2024-09-19 11/week @ 2024-09-26 6/week @ 2024-10-03

51 downloads per month

MIT/Apache

31KB
686 lines

IAP JWT

GitHub MIT/Apache 2.0 Crates.io docs.rs

Validate and decode Google Cloud Identity-Aware Proxy (IAP) JWTs

Features

  • Validate and decode JWTs issued by Google IAP https://cloud.google.com/iap/docs/signed-headers-howto
  • Verify JWT signature using public keys from Google retrieved from the JWKS endpoint
  • Validate standard claims like exp, iat, aud, iss
  • Validate Google-specific claims like hd (hosted domain) and access levels
  • Injectable public key retrieval and caching for testability
  • Customizable validation options

Usage

cargo add iap-jwt

use iap_jwt::{ValidationConfig};

let token = "..."; // JWT token from IAP

// reqwest Client implements iap_jwt::PublicKeySource with `reqwest` feature enabled (enabled by default)
let client = reqwest::Client::new();

let config = ValidationConfig::new(["/projects/1234567890/global/backendServices/test-service-id"])
    .with_google_hosted_domain(["example.com"])
    .with_access_levels(["ADMIN"]);

let claims = config.decode_and_validate(token, &client).await?;

println!("Authenticated user: {}", claims.sub);

License

This project is licensed under either of the following licenses, at your option:

  • Apache-2.0
  • MIT

Dependencies

~4–16MB
~231K SLoC