29
29
/**
30
30
* Validate a JWT passed to your App Engine app by Identity-Aware Proxy.
31
31
*
32
- * @param string $iap_jwt The contents of the X-Goog-IAP-JWT-Assertion header.
33
- * @param string $cloud_project_number The project *number* for your Google
32
+ * @param string $iapJwt The contents of the X-Goog-IAP-JWT-Assertion header.
33
+ * @param string $cloudProjectNumber The project *number* for your Google
34
34
* Cloud project. This is returned by 'gcloud projects describe $PROJECT_ID',
35
35
* or in the Project Info card in Cloud Console.
36
36
* @param string $cloud_project Your Google Cloud Project ID.
37
37
*
38
38
* @return (user_id, user_email).
39
39
*/
40
- function validate_jwt_from_app_engine ($ iap_jwt , $ cloud_project_number , $ cloud_project_id )
40
+ function validate_jwt_from_app_engine ($ iapJwt , $ cloudProjectNumber , $ cloudProjectId )
41
41
{
42
- $ expected_audience = sprintf (
42
+ $ expectedAudience = sprintf (
43
43
'/projects/%s/apps/%s ' ,
44
- $ cloud_project_number ,
45
- $ cloud_project_id
44
+ $ cloudProjectNumber ,
45
+ $ cloudProjectId
46
46
);
47
- return validate_jwt ($ iap_jwt , $ expected_audience );
47
+ return validate_jwt ($ iapJwt , $ expectedAudience );
48
48
}
49
49
50
50
/**
51
51
* Validate a JWT passed to your Compute / Container Engine app by Identity-Aware Proxy.
52
52
*
53
- * @param string $iap_jwt The contents of the X-Goog-IAP-JWT-Assertion header.
54
- * @param string $cloud_project_number The project *number* for your Google
53
+ * @param string $iapJwt The contents of the X-Goog-IAP-JWT-Assertion header.
54
+ * @param string $cloudProjectNumber The project *number* for your Google
55
55
* Cloud project. This is returned by 'gcloud projects describe $PROJECT_ID',
56
56
* or in the Project Info card in Cloud Console.
57
- * @param string $backend_service_id The ID of the backend service used to access the
57
+ * @param string $backendServiceId The ID of the backend service used to access the
58
58
* application. See https://cloud.google.com/iap/docs/signed-headers-howto
59
59
* for details on how to get this value.
60
- *
61
- * @return (user_id, user_email).
62
60
*/
63
- function validate_jwt_from_compute_engine ($ iap_jwt , $ cloud_project_number , $ backend_service_id )
61
+ function validate_jwt_from_compute_engine ($ iapJwt , $ cloudProjectNumber , $ backendServiceId )
64
62
{
65
- $ expected_audience = sprintf (
63
+ $ expectedAudience = sprintf (
66
64
'/projects/%s/global/backendServices/%s ' ,
67
- $ cloud_project_number ,
68
- $ backend_service_id
65
+ $ cloudProjectNumber ,
66
+ $ backendServiceId
69
67
);
70
- return validate_jwt ($ iap_jwt , $ expected_audience );
68
+ validate_jwt ($ iapJwt , $ expectedAudience );
71
69
}
72
70
73
-
74
- function validate_jwt ($ iap_jwt , $ expected_audience )
71
+ /**
72
+ * Validate a JWT passed to your app by Identity-Aware Proxy.
73
+ *
74
+ * @param string $iapJwt The contents of the X-Goog-IAP-JWT-Assertion header.
75
+ * @param string $expectedAudience The expected audience of the JWT with the following formats:
76
+ * App Engine: /projects/{PROJECT_NUMBER}/apps/{PROJECT_ID}
77
+ * Compute Engine: /projects/{PROJECT_NUMBER}/global/backendServices/{BACKEND_SERVICE_ID}
78
+ */
79
+ function validate_jwt ($ iapJwt , $ expectedAudience )
75
80
{
76
81
// Validate the signature using the IAP cert URL.
77
82
$ token = new AccessToken ();
78
- $ jwt = $ token ->verify ($ iap_jwt , [
83
+ $ jwt = $ token ->verify ($ iapJwt , [
79
84
'certsLocation ' => AccessToken::IAP_CERT_URL
80
85
]);
81
86
@@ -85,9 +90,14 @@ function validate_jwt($iap_jwt, $expected_audience)
85
90
86
91
// Validate token by checking issuer and audience fields.
87
92
assert ($ jwt ['iss ' ] == 'https://cloud.google.com/iap ' );
88
- assert ($ jwt ['aud ' ] == $ expected_audience );
93
+ assert ($ jwt ['aud ' ] == $ expectedAudience );
89
94
90
- // Return the user identity (subject and user email) if JWT verification is successful.
91
- return array ('sub ' => $ jwt ['sub ' ], 'email ' => $ jwt ['email ' ]);
95
+
96
+ print ('Printing user identity information from ID token payload: ' );
97
+ printf ('sub: %s ' , $ jwt ['sub ' ]);
98
+ printf ('email: %s ' , $ jwt ['email ' ]);
92
99
}
93
100
# [END iap_validate_jwt]
101
+
102
+ require_once __DIR__ . '/../../testing/sample_helpers.php ' ;
103
+ \Google \Cloud \Samples \execute_sample (__FILE__ , __NAMESPACE__ , $ argv );
0 commit comments