|
11 | 11 | * express or implied. See the License for the specific language governing permissions and |
12 | 12 | * limitations under the License. |
13 | 13 | */ |
| 14 | + |
14 | 15 | package com.example.iap; |
| 16 | +// [START verify_iap_request] |
15 | 17 |
|
16 | | -import com.fasterxml.jackson.core.type.TypeReference; |
17 | | -import com.fasterxml.jackson.databind.ObjectMapper; |
18 | | -import com.google.api.client.http.GenericUrl; |
19 | 18 | import com.google.api.client.http.HttpRequest; |
20 | | -import com.google.api.client.http.HttpResponse; |
21 | | -import com.google.api.client.http.HttpStatusCodes; |
22 | | -import com.google.api.client.http.javanet.NetHttpTransport; |
23 | | -import com.google.api.client.util.PemReader; |
24 | | -import com.google.api.client.util.PemReader.Section; |
25 | | -import io.jsonwebtoken.Claims; |
26 | | -import io.jsonwebtoken.JwsHeader; |
27 | | -import io.jsonwebtoken.Jwt; |
28 | | -import io.jsonwebtoken.Jwts; |
29 | | -import io.jsonwebtoken.SigningKeyResolver; |
30 | | -import io.jsonwebtoken.impl.DefaultClaims; |
31 | | - |
32 | | -import java.io.IOException; |
33 | | -import java.io.StringReader; |
34 | | -import java.security.Key; |
35 | | -import java.security.KeyFactory; |
36 | | -import java.security.NoSuchAlgorithmException; |
37 | | -import java.security.PublicKey; |
| 19 | +import com.google.common.base.Preconditions; |
| 20 | +import com.nimbusds.jose.JWSHeader; |
| 21 | +import com.nimbusds.jose.JWSVerifier; |
| 22 | +import com.nimbusds.jose.crypto.ECDSAVerifier; |
| 23 | +import com.nimbusds.jose.jwk.ECKey; |
| 24 | +import com.nimbusds.jose.jwk.JWK; |
| 25 | +import com.nimbusds.jose.jwk.JWKSet; |
| 26 | +import com.nimbusds.jwt.JWTClaimsSet; |
| 27 | +import com.nimbusds.jwt.SignedJWT; |
| 28 | +import java.net.URL; |
38 | 29 | import java.security.interfaces.ECPublicKey; |
39 | | -import java.security.spec.InvalidKeySpecException; |
40 | | -import java.security.spec.X509EncodedKeySpec; |
| 30 | +import java.time.Clock; |
| 31 | +import java.time.Instant; |
| 32 | +import java.util.Date; |
41 | 33 | import java.util.HashMap; |
42 | 34 | import java.util.Map; |
43 | 35 |
|
44 | 36 | /** Verify IAP authorization JWT token in incoming request. */ |
45 | 37 | public class VerifyIapRequestHeader { |
46 | 38 |
|
47 | | - // [START verify_iap_request] |
48 | 39 | private static final String PUBLIC_KEY_VERIFICATION_URL = |
49 | | - "https://www.gstatic.com/iap/verify/public_key"; |
| 40 | + "https://www.gstatic.com/iap/verify/public_key-jwk"; |
| 41 | + |
50 | 42 | private static final String IAP_ISSUER_URL = "https://cloud.google.com/iap"; |
51 | 43 |
|
52 | | - private final Map<String, Key> keyCache = new HashMap<>(); |
53 | | - private final ObjectMapper mapper = new ObjectMapper(); |
54 | | - private final TypeReference<HashMap<String, String>> typeRef = |
55 | | - new TypeReference<HashMap<String, String>>() {}; |
56 | | - |
57 | | - private SigningKeyResolver resolver = |
58 | | - new SigningKeyResolver() { |
59 | | - @Override |
60 | | - public Key resolveSigningKey(JwsHeader header, Claims claims) { |
61 | | - return resolveSigningKey(header); |
62 | | - } |
63 | | - |
64 | | - @Override |
65 | | - public Key resolveSigningKey(JwsHeader header, String payload) { |
66 | | - return resolveSigningKey(header); |
67 | | - } |
68 | | - |
69 | | - private Key resolveSigningKey(JwsHeader header) { |
70 | | - String keyId = header.getKeyId(); |
71 | | - Key key = keyCache.get(keyId); |
72 | | - if (key != null) { |
73 | | - return key; |
74 | | - } |
75 | | - try { |
76 | | - HttpRequest request = |
77 | | - new NetHttpTransport() |
78 | | - .createRequestFactory() |
79 | | - .buildGetRequest(new GenericUrl(PUBLIC_KEY_VERIFICATION_URL)); |
80 | | - HttpResponse response = request.execute(); |
81 | | - if (response.getStatusCode() != HttpStatusCodes.STATUS_CODE_OK) { |
82 | | - return null; |
83 | | - } |
84 | | - Map<String, String> keys = mapper.readValue(response.parseAsString(), typeRef); |
85 | | - for (Map.Entry<String, String> keyData : keys.entrySet()) { |
86 | | - if (!keyData.getKey().equals(keyId)) { |
87 | | - continue; |
88 | | - } |
89 | | - key = getKey(keyData.getValue()); |
90 | | - if (key != null) { |
91 | | - keyCache.putIfAbsent(keyId, key); |
92 | | - } |
93 | | - } |
94 | | - |
95 | | - } catch (IOException e) { |
96 | | - // ignore exception |
97 | | - } |
98 | | - return key; |
99 | | - } |
100 | | - }; |
| 44 | + // using a simple cache with no eviction for this sample |
| 45 | + private final Map<String, JWK> keyCache = new HashMap<>(); |
| 46 | + |
| 47 | + private static Clock clock = Clock.systemUTC(); |
| 48 | + |
| 49 | + private ECPublicKey getKey(String kid, String alg) throws Exception { |
| 50 | + JWK jwk = keyCache.get(kid); |
| 51 | + if (jwk == null) { |
| 52 | + // update cache loading jwk public key data from url |
| 53 | + JWKSet jwkSet = JWKSet.load(new URL(PUBLIC_KEY_VERIFICATION_URL)); |
| 54 | + for (JWK key : jwkSet.getKeys()) { |
| 55 | + keyCache.put(key.getKeyID(), key); |
| 56 | + } |
| 57 | + jwk = keyCache.get(kid); |
| 58 | + } |
| 59 | + // confirm that algorithm matches |
| 60 | + if (jwk != null && jwk.getAlgorithm().getName().equals(alg)) { |
| 61 | + return ECKey.parse(jwk.toJSONString()).toECPublicKey(); |
| 62 | + } |
| 63 | + return null; |
| 64 | + } |
101 | 65 |
|
102 | 66 | // Verify jwt tokens addressed to IAP protected resources on App Engine. |
103 | | - // The project *number* for your Google Cloud project available via 'gcloud projects describe $PROJECT_ID' |
104 | | - // or in the Project Info card in Cloud Console. |
| 67 | + // The project *number* for your Google Cloud project via 'gcloud projects describe $PROJECT_ID' |
| 68 | + // The project *number* can also be retrieved from the Project Info card in Cloud Console. |
105 | 69 | // projectId is The project *ID* for your Google Cloud Project. |
106 | | - Jwt verifyJWTTokenForAppEngine(HttpRequest request, long projectNumber, String projectId) throws Exception { |
| 70 | + boolean verifyJwtForAppEngine(HttpRequest request, long projectNumber, String projectId) |
| 71 | + throws Exception { |
107 | 72 | // Check for iap jwt header in incoming request |
108 | | - String jwtToken = |
109 | | - request.getHeaders().getFirstHeaderStringValue("x-goog-iap-jwt-assertion"); |
110 | | - if (jwtToken == null) { |
111 | | - return null; |
| 73 | + String jwt = request.getHeaders().getFirstHeaderStringValue("x-goog-iap-jwt-assertion"); |
| 74 | + if (jwt == null) { |
| 75 | + return false; |
112 | 76 | } |
113 | | - return verifyJWTToken(jwtToken, String.format("/projects/%s/apps/%s", |
114 | | - Long.toUnsignedString(projectNumber), |
115 | | - projectId)); |
| 77 | + return verifyJwt( |
| 78 | + jwt, |
| 79 | + String.format("/projects/%s/apps/%s", Long.toUnsignedString(projectNumber), projectId)); |
116 | 80 | } |
117 | 81 |
|
118 | | - Jwt verifyJWTTokenForComputeEngine(HttpRequest request, long projectNumber, long backendServiceId) throws Exception { |
| 82 | + boolean verifyJwtForComputeEngine( |
| 83 | + HttpRequest request, long projectNumber, long backendServiceId) throws Exception { |
119 | 84 | // Check for iap jwt header in incoming request |
120 | | - String jwtToken = |
121 | | - request.getHeaders().getFirstHeaderStringValue("x-goog-iap-jwt-assertion"); |
| 85 | + String jwtToken = request.getHeaders() |
| 86 | + .getFirstHeaderStringValue("x-goog-iap-jwt-assertion"); |
122 | 87 | if (jwtToken == null) { |
123 | | - return null; |
124 | | - } |
125 | | - return verifyJWTToken(jwtToken, String.format("/projects/%s/global/backendServices/%s", |
126 | | - Long.toUnsignedString(projectNumber), |
127 | | - Long.toUnsignedString(backendServiceId))); |
128 | | - } |
129 | | - |
130 | | - Jwt verifyJWTToken(String jwtToken, String expectedAudience) throws Exception { |
131 | | - // Time constraints are automatically checked, use setAllowedClockSkewSeconds |
132 | | - // to specify a leeway window |
133 | | - // The token was issued in a past date "iat" < TODAY |
134 | | - // The token hasn't expired yet "exp" > TODAY |
135 | | - Jwt jwt = |
136 | | - Jwts.parser() |
137 | | - .setSigningKeyResolver(resolver) |
138 | | - .requireAudience(expectedAudience) |
139 | | - .requireIssuer(IAP_ISSUER_URL) |
140 | | - .parse(jwtToken); |
141 | | - DefaultClaims claims = (DefaultClaims) jwt.getBody(); |
142 | | - if (claims.getSubject() == null) { |
143 | | - throw new Exception("Subject expected, not found."); |
| 88 | + return false; |
144 | 89 | } |
145 | | - if (claims.get("email") == null) { |
146 | | - throw new Exception("Email expected, not found."); |
147 | | - } |
148 | | - return jwt; |
| 90 | + return verifyJwt( |
| 91 | + jwtToken, |
| 92 | + String.format( |
| 93 | + "/projects/%s/global/backendServices/%s", |
| 94 | + Long.toUnsignedString(projectNumber), Long.toUnsignedString(backendServiceId))); |
149 | 95 | } |
150 | 96 |
|
151 | | - private ECPublicKey getKey(String keyText) throws IOException { |
152 | | - StringReader reader = new StringReader(keyText); |
153 | | - Section section = PemReader.readFirstSectionAndClose(reader, "PUBLIC KEY"); |
154 | | - if (section == null) { |
155 | | - throw new IOException("Invalid data."); |
156 | | - } else { |
157 | | - byte[] bytes = section.getBase64DecodedBytes(); |
158 | | - X509EncodedKeySpec keySpec = new X509EncodedKeySpec(bytes); |
159 | | - try { |
160 | | - KeyFactory kf = KeyFactory.getInstance("EC"); |
161 | | - PublicKey publicKey = kf.generatePublic(keySpec); |
162 | | - if (publicKey instanceof ECPublicKey) { |
163 | | - return (ECPublicKey) publicKey; |
164 | | - } |
165 | | - } catch (InvalidKeySpecException | NoSuchAlgorithmException var7) { |
166 | | - throw new IOException("Unexpected exception reading data", var7); |
167 | | - } |
168 | | - } |
169 | | - return null; |
| 97 | + private boolean verifyJwt(String jwtToken, String expectedAudience) throws Exception { |
| 98 | + |
| 99 | + // parse signed token into header / claims |
| 100 | + SignedJWT signedJwt = SignedJWT.parse(jwtToken); |
| 101 | + JWSHeader jwsHeader = signedJwt.getHeader(); |
| 102 | + |
| 103 | + // header must have algorithm("alg") and "kid" |
| 104 | + Preconditions.checkNotNull(jwsHeader.getAlgorithm()); |
| 105 | + Preconditions.checkNotNull(jwsHeader.getKeyID()); |
| 106 | + |
| 107 | + JWTClaimsSet claims = signedJwt.getJWTClaimsSet(); |
| 108 | + |
| 109 | + // claims must have audience, issuer |
| 110 | + Preconditions.checkArgument(claims.getAudience().contains(expectedAudience)); |
| 111 | + Preconditions.checkArgument(claims.getIssuer().equals(IAP_ISSUER_URL)); |
| 112 | + |
| 113 | + // claim must have issued at time in the past |
| 114 | + Date currentTime = Date.from(Instant.now(clock)); |
| 115 | + Preconditions.checkArgument(claims.getIssueTime().before(currentTime)); |
| 116 | + // claim must have expiration time in the future |
| 117 | + Preconditions.checkArgument(claims.getExpirationTime().after(currentTime)); |
| 118 | + |
| 119 | + // must have subject, email |
| 120 | + Preconditions.checkNotNull(claims.getSubject()); |
| 121 | + Preconditions.checkNotNull(claims.getClaim("email")); |
| 122 | + |
| 123 | + // verify using public key : lookup with key id, algorithm name provided |
| 124 | + ECPublicKey publicKey = getKey(jwsHeader.getKeyID(), jwsHeader.getAlgorithm().getName()); |
| 125 | + |
| 126 | + Preconditions.checkNotNull(publicKey); |
| 127 | + JWSVerifier jwsVerifier = new ECDSAVerifier(publicKey); |
| 128 | + return signedJwt.verify(jwsVerifier); |
170 | 129 | } |
171 | | - // [END verify_iap_request] |
172 | 130 | } |
| 131 | +// [END verify_iap_request] |
0 commit comments