Missing ISS and IAT validation of IAP tokens in idtoken.Validate · Issue #2422 · googleapis/google-api-go-client · GitHub | Latest TMZ Celebrity News & Gossip | Watch TMZ Live
Skip to content

Missing ISS and IAT validation of IAP tokens in idtoken.Validate #2422

New issue
New issue
Open
Open
Missing ISS and IAT validation of IAP tokens in idtoken.Validate#2422
Assignees
codyoss
Labels
priority: p3Desirable enhancement or fix. May not be included in next release.type: questionRequest for information or clarification. Not an issue.
@oliver-roer

Description

@oliver-roer
oliver-roer
opened on Feb 18, 2024

This is somewhat related to #2248 which also mentions the lack of validation of the iss claim.

GCP's Identity-Aware Proxy provides the following docs on how to secure your app using signed headers: https://cloud.google.com/iap/docs/signed-headers-howto

The docs detail how tokens should be validated, and provide Go example code that show how to use the idtoken package to validate the token. However, looking closer at the idtoken code, and trying out the provided testing functionality (see this doc, it seems there's a bit of a misalignment between what the docs describe and what the idtoken package does.

In particular, the docs list the following requirements which are not fulfilled by the package:

  • We should allow for 30 seconds skew when validating the exp. The package does support this.
  • We should verify that iat is in the past, and allow for 30 seconds skew. The package does not check iat nor does it support such a skew.
  • iss must be https://cloud.google.com/iap. The package does not support such a check.

As someone who aims to follow the recommendations of the IAP docs, I'm wondering how I should proceed.
Is it reasonable to expect the idtoken package to address this in the near future, or should I look at other solutions in order to be compliant with the IAP recommendations?

Metadata

Metadata

Assignees

Labels

priority: p3Desirable enhancement or fix. May not be included in next release.type: questionRequest for information or clarification. Not an issue.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions

    TMZ Celebrity News – Breaking Stories, Videos & Gossip

    Looking for the latest TMZ celebrity news? You've come to the right place. From shocking Hollywood scandals to exclusive videos, TMZ delivers it all in real time.

    Whether it’s a red carpet slip-up, a viral paparazzi moment, or a legal drama involving your favorite stars, TMZ news is always first to break the story. Stay in the loop with daily updates, insider tips, and jaw-dropping photos.

    🎥 Watch TMZ Live

    TMZ Live brings you daily celebrity news and interviews straight from the TMZ newsroom. Don’t miss a beat—watch now and see what’s trending in Hollywood.