diff --git a/appengine/iap/src/main/java/com/example/appengine/iap/JwtServlet.java b/appengine/iap/src/main/java/com/example/appengine/iap/JwtServlet.java
index 0405d259c3b..974c8e14a09 100644
--- a/appengine/iap/src/main/java/com/example/appengine/iap/JwtServlet.java
+++ b/appengine/iap/src/main/java/com/example/appengine/iap/JwtServlet.java
@@ -26,9 +26,10 @@
public class JwtServlet extends HttpServlet {
private static final String IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
+ private static final String IAP_AUTHENTICATED_USER_HEADER = "x-goog-authenticated-user-jwt";
@Override
public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
- resp.getWriter().print(IAP_JWT_HEADER + ":" + req.getHeader(IAP_JWT_HEADER));
+ resp.getWriter().print(IAP_AUTHENTICATED_USER_HEADER + ":" + req.getHeader(IAP_JWT_HEADER));
}
}
diff --git a/iap/README.md b/iap/README.md
index d8819ed64e3..6407754900e 100644
--- a/iap/README.md
+++ b/iap/README.md
@@ -28,24 +28,22 @@ It will be used to test both the authorization of an incoming request to an IAP
- Add the service account email to the Identity-Aware Proxy access list for the project.
-- Set the following environment variables to test sending a request to an IAP protected resource:
+- Update the following variables in [BuildAndVerifyIapRequestIT.java](src/test/java/com/example/iap/BuildAndVerifyIapRequestIT.java):
- `IAP_PROTECTED_URL` : URL of your IAP protected resource . eg. `https://your-project-id.appspot.com`
- `IAP_CLIENT_ID` to point to the [OAuth 2.0 Client ID](https://console.cloud.google.com/apis/credentials) of your IAP protected App Engine Application.
-- Set the following environment variables to test verifying a JWT issued for an App Engine protected application:
- - `GOOGLE_CLOUD_PROJECT`: Google Cloud Project ID
+ - `IAP_PROJECT_ID` : Google Cloud Project ID of the IAP protected application
- `IAP_PROJECT_NUMBER` : [Project number](https://console.cloud.google.com/home/dashboard) of the IAP protected resource.
- Also available via `gcloud` using:
- ```
- gcloud projects describe PROJECT_ID
- ```
-
+ Also available via `gcloud` using:
+ ```
+ gcloud projects describe PROJECT_ID
+ ```
- Run the integration test:
-```
- mvn -Dtest=com.example.iap.BuildAndVerifyIapRequestIT verify
-```
+ ```
+ mvn -Dtest=com.example.iap.BuildAndVerifyIapRequestIT verify
+ ```
## References
- [JWT library for Java (jjwt)](https://github.com/jwtk/jjwt)
diff --git a/iap/src/test/java/com/example/iap/BuildAndVerifyIapRequestIT.java b/iap/src/test/java/com/example/iap/BuildAndVerifyIapRequestIT.java
index e043afb8b5c..5183b0053da 100644
--- a/iap/src/test/java/com/example/iap/BuildAndVerifyIapRequestIT.java
+++ b/iap/src/test/java/com/example/iap/BuildAndVerifyIapRequestIT.java
@@ -26,7 +26,6 @@
import com.google.api.client.http.javanet.NetHttpTransport;
import io.jsonwebtoken.Jwt;
import org.apache.http.HttpStatus;
-import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.JUnit4;
@@ -34,24 +33,22 @@
@RunWith(JUnit4.class)
public class BuildAndVerifyIapRequestIT {
- private String iapProtectedUrl = System.getenv("IAP_PROTECTED_URL");
- private String iapClientId = System.getenv("IAP_CLIENT_ID");
- private Long projectNumber = Long.parseLong(System.getenv("IAP_PROJECT_NUMBER"));
- private String projectId = System.getenv("GOOGLE_CLOUD_PROJECT");
+ // Update these fields to reflect your IAP protected App Engine credentials
+ private static Long IAP_PROJECT_NUMBER = 320431926067L;
+ private static String IAP_PROJECT_ID = "gcp-devrel-iap-reflect";
+ private static String IAP_PROTECTED_URL = "https://gcp-devrel-iap-reflect.appspot.com";
+ private static String IAP_CLIENT_ID =
+ "320431926067-ldm6839p8l2sei41nlsfc632l4d0v2u1.apps.googleusercontent.com";
+
private HttpTransport httpTransport = new NetHttpTransport();
private VerifyIapRequestHeader verifyIapRequestHeader = new VerifyIapRequestHeader();
- @Before
- public void setUp() {
- assertNotNull(iapProtectedUrl);
- assertNotNull(iapClientId);
- }
// Access an IAP protected url without signed jwt authorization header
@Test
public void accessIapProtectedResourceFailsWithoutJwtHeader() throws Exception {
HttpRequest request =
- httpTransport.createRequestFactory().buildGetRequest(new GenericUrl(iapProtectedUrl));
+ httpTransport.createRequestFactory().buildGetRequest(new GenericUrl(IAP_PROTECTED_URL));
try {
request.execute();
} catch (HttpResponseException e) {
@@ -63,23 +60,23 @@ public void accessIapProtectedResourceFailsWithoutJwtHeader() throws Exception {
@Test
public void testGenerateAndVerifyIapRequestIsSuccessful() throws Exception {
HttpRequest request =
- httpTransport.createRequestFactory().buildGetRequest(new GenericUrl(iapProtectedUrl));
- HttpRequest iapRequest = buildIAPRequest(request, iapClientId);
+ httpTransport.createRequestFactory().buildGetRequest(new GenericUrl(IAP_PROTECTED_URL));
+ HttpRequest iapRequest = buildIAPRequest(request, IAP_CLIENT_ID);
HttpResponse response = iapRequest.execute();
assertEquals(response.getStatusCode(), HttpStatus.SC_OK);
String headerWithtoken = response.parseAsString();
String[] split = headerWithtoken.split(":");
assertNotNull(split);
- assertEquals(split.length, 2);
- assertEquals(split[0].trim(), "x-goog-iap-jwt-assertion");
+ assertEquals(2, split.length);
+ assertEquals("x-goog-authenticated-user-jwt", split[0].trim());
String jwtToken = split[1].trim();
HttpRequest verifyJwtRequest = httpTransport
.createRequestFactory()
- .buildGetRequest(new GenericUrl(iapProtectedUrl)).setHeaders(
+ .buildGetRequest(new GenericUrl(IAP_PROTECTED_URL)).setHeaders(
new HttpHeaders().set("x-goog-iap-jwt-assertion", jwtToken));
Jwt decodedJWT = verifyIapRequestHeader.verifyJWTTokenForAppEngine(
- verifyJwtRequest, projectNumber, projectId);
+ verifyJwtRequest, IAP_PROJECT_NUMBER, IAP_PROJECT_ID);
assertNotNull(decodedJWT);
}
}
diff --git a/pom.xml b/pom.xml
index 1d854809c36..e4405b64b0a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -55,9 +55,7 @@
dlp
-
kms