You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The docs detail how tokens should be validated, and provide Go example code that show how to use the idtoken package to validate the token. However, looking closer at the idtoken code, and trying out the provided testing functionality (see this doc, it seems there's a bit of a misalignment between what the docs describe and what the idtoken package does.
In particular, the docs list the following requirements which are not fulfilled by the package:
We should allow for 30 seconds skew when validating the exp. The package does support this.
We should verify that iat is in the past, and allow for 30 seconds skew. The package does not check iat nor does it support such a skew.
iss must be https://cloud.google.com/iap. The package does not support such a check.
As someone who aims to follow the recommendations of the IAP docs, I'm wondering how I should proceed.
Is it reasonable to expect the idtoken package to address this in the near future, or should I look at other solutions in order to be compliant with the IAP recommendations?
The text was updated successfully, but these errors were encountered:
We will look into this a little more. At least at the time of implementation this was following best practices, but we did realize more validation might be needed, hence why we returned the payload from that function as well. If we were to change this we would want to do it consistently across all the languages we support. Thanks for raising this.
This is somewhat related to #2248 which also mentions the lack of validation of the
iss
claim.GCP's Identity-Aware Proxy provides the following docs on how to secure your app using signed headers: https://cloud.google.com/iap/docs/signed-headers-howto
The docs detail how tokens should be validated, and provide Go example code that show how to use the
idtoken
package to validate the token. However, looking closer at theidtoken
code, and trying out the provided testing functionality (see this doc, it seems there's a bit of a misalignment between what the docs describe and what theidtoken
package does.In particular, the docs list the following requirements which are not fulfilled by the package:
exp
. The package does support this.iat
is in the past, and allow for 30 seconds skew. The package does not checkiat
nor does it support such a skew.iss
must behttps://cloud.google.com/iap
. The package does not support such a check.As someone who aims to follow the recommendations of the IAP docs, I'm wondering how I should proceed.
Is it reasonable to expect the
idtoken
package to address this in the near future, or should I look at other solutions in order to be compliant with the IAP recommendations?The text was updated successfully, but these errors were encountered: