com.google.cloud.spring.autoconfigure.security

Class IapAuthenticationAutoConfiguration

java.lang.Object

com.google.cloud.spring.autoconfigure.security.IapAuthenticationAutoConfiguration

@Configuration(proxyBeanMethods=false)
 @ConditionalOnProperty(value="spring.cloud.gcp.security.iap.enabled",
                       matchIfMissing=true)
 @ConditionalOnClass(value=AudienceValidator.class)
 @AutoConfigureBefore(value=org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration.class)
 @AutoConfigureAfter(value=GcpContextAutoConfiguration.class)
 @EnableConfigurationProperties(value=IapAuthenticationProperties.class)
public class IapAuthenticationAutoConfiguration
extends Object

Autoconfiguration for extracting pre-authenticated user identity from Google Cloud IAP header.

Provides:

• a custom BearerTokenResolver extracting identity from x-goog-iap-jwt-assertion header
• an ES256 web registry-based JWT token decoder bean with the following standard validations:
  • Issue time
  • Expiration time
  • Issuer
  • Audience (this validation is only enabled if running on AppEngine, or if a custom audience is provided through spring.cloud.gcp.security.iap.audience property)

If a custom WebSecurityConfigurerAdapter is present, it must add .oauth2ResourceServer().jwt() customization to HttpSecurity object. If no custom WebSecurityConfigurerAdapter is found, Spring Boot's default OAuth2ResourceServerWebSecurityConfiguration will add this customization.

Since:

1.1

Author:

Elena Felder, Eddú Meléndez

Constructor Summary

Constructors

Constructor and Description
IapAuthenticationAutoConfiguration()

Method Summary

Modifier and Type	Method and Description
AudienceProvider	appEngineBasedAudienceProvider(GcpProjectIdProvider projectIdProvider)
AudienceValidator	audienceValidator(AudienceProvider audienceProvider)
org.springframework.security.oauth2.jwt.JwtDecoder	iapJwtDecoder(IapAuthenticationProperties properties, org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator<org.springframework.security.oauth2.jwt.Jwt> validator)
org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator<org.springframework.security.oauth2.jwt.Jwt>	iapJwtDelegatingValidator(IapAuthenticationProperties properties, AudienceValidator audienceValidator)
org.springframework.security.oauth2.server.resource.web.BearerTokenResolver	iatTokenResolver(IapAuthenticationProperties properties)
AudienceProvider	propertyBasedAudienceProvider(IapAuthenticationProperties properties)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

IapAuthenticationAutoConfiguration

public IapAuthenticationAutoConfiguration()

Method Detail

iatTokenResolver

@Bean
 @ConditionalOnMissingBean
public org.springframework.security.oauth2.server.resource.web.BearerTokenResolver iatTokenResolver(IapAuthenticationProperties properties)

propertyBasedAudienceProvider

@Bean
 @ConditionalOnMissingBean
 @ConditionalOnProperty(value="spring.cloud.gcp.security.iap.audience")
public AudienceProvider propertyBasedAudienceProvider(IapAuthenticationProperties properties)

appEngineBasedAudienceProvider

@Bean
 @ConditionalOnMissingBean
 @ConditionalOnGcpEnvironment(value={APP_ENGINE_FLEXIBLE,APP_ENGINE_STANDARD})
public AudienceProvider appEngineBasedAudienceProvider(GcpProjectIdProvider projectIdProvider)

audienceValidator

@Bean
 @ConditionalOnMissingBean
public AudienceValidator audienceValidator(AudienceProvider audienceProvider)

iapJwtDelegatingValidator

@Bean
 @ConditionalOnMissingBean(name="iapJwtDelegatingValidator")
public org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator<org.springframework.security.oauth2.jwt.Jwt> iapJwtDelegatingValidator(IapAuthenticationProperties properties,
                                                                                                                                                                                                                         AudienceValidator audienceValidator)

iapJwtDecoder

@Bean
 @ConditionalOnMissingBean
public org.springframework.security.oauth2.jwt.JwtDecoder iapJwtDecoder(IapAuthenticationProperties properties,
                                                                                                         @Qualifier(value="iapJwtDelegatingValidator")
                                                                                                         org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator<org.springframework.security.oauth2.jwt.Jwt> validator)