feat: updates IAP using the new auth library (GoogleCloudPlatform#1019)

Author: bshaffer

iap/composer.json

@@ -1,8 +1,8 @@
 {
     "require": {
         "symfony/console": "^2.8",
-        "google/auth":"^1.2",
-        "guzzlehttp/guzzle": "^6.3",
+        "google/auth":"^1.7.1",
+        "guzzlehttp/guzzle": "~6.3.3",
         "kelvinmo/simplejwt": "^0.2.4"
     },
     "autoload": {

iap/src/make_iap_request.php

@@ -24,8 +24,7 @@
 namespace Google\Cloud\Samples\Iap;
 
 # Imports Auth libraries and Guzzle HTTP libraries.
-use Google\Auth\OAuth2;
-use Google\Auth\Middleware\ScopedAccessTokenMiddleware;
+use Google\Auth\ApplicationDefaultCredentials;
 use GuzzleHttp\Client;
 use GuzzleHttp\HandlerStack;
 
@@ -37,47 +36,20 @@
  *
  * @return The response body.
  */
-function make_iap_request($url, $clientId, $pathToServiceAccount)
+function make_iap_request($url, $clientId)
 {
-    $serviceAccountKey = json_decode(file_get_contents($pathToServiceAccount), true);
-    $oauth_token_uri = 'https://www.googleapis.com/oauth2/v4/token';
-    $iam_scope = 'https://www.googleapis.com/auth/iam';
-
-    # Create an OAuth object using the service account key
-    $oauth = new OAuth2([
-        'audience' => $oauth_token_uri,
-        'issuer' => $serviceAccountKey['client_email'],
-        'signingAlgorithm' => 'RS256',
-        'signingKey' => $serviceAccountKey['private_key'],
-        'tokenCredentialUri' => $oauth_token_uri,
-    ]);
-    $oauth->setGrantType(OAuth2::JWT_URN);
-    $oauth->setAdditionalClaims(['target_audience' => $clientId]);
-
-    # Obtain an OpenID Connect token, which is a JWT signed by Google.
-    $token = $oauth->fetchAuthToken();
-    $idToken = $oauth->getIdToken();
-
-    # Construct a ScopedAccessTokenMiddleware with the ID token.
-    $middleware = new ScopedAccessTokenMiddleware(
-        function () use ($idToken) {
-            return $idToken;
-        },
-        $iam_scope
-    );
-
+    // create middleware, using the client ID as the target audience for IAP
+    $middleware = ApplicationDefaultCredentials::getIdTokenMiddleware($clientId);
     $stack = HandlerStack::create();
     $stack->push($middleware);
 
-    # Create an HTTP Client using Guzzle and pass in the credentials.
-    $http_client = new Client([
-        'handler' => $stack,
-        'base_uri' => $url,
-        'auth' => 'scoped'
+    // create the HTTP client
+    $client = new Client([
+      'handler' => $stack,
+      'auth' => 'google_auth'
     ]);
 
-    # Make an authenticated HTTP Request
-    $response = $http_client->request('GET', '/', []);
-    return $response;
+    // make the request
+    return $client->get($url);
 }
 # [END iap_make_request]

iap/src/validate_jwt.php

@@ -23,12 +23,8 @@
 # [START iap_validate_jwt]
 namespace Google\Cloud\Samples\Iap;
 
-# Imports OAuth Guzzle HTTP libraries.
-use GuzzleHttp\Client;
-# Imports libraries for JWK validation
-use SimpleJWT\JWT;
-use SimpleJWT\Keys\KeySet;
-use SimpleJWT\InvalidTokenException;
+# Imports Google auth libraries for IAP validation
+use Google\Auth\AccessToken;
 
 /**
  * Validate a JWT passed to your App Engine app by Identity-Aware Proxy.
@@ -77,26 +73,21 @@ function validate_jwt_from_compute_engine($iap_jwt, $cloud_project_number, $back
 
 function validate_jwt($iap_jwt, $expected_audience)
 {
-    // get the public key JWK Set object (RFC7517)
-    $httpclient = new Client();
-    $response = $httpclient->request('GET', 'https://www.gstatic.com/iap/verify/public_key-jwk', []);
+    // Validate the signature using the IAP cert URL.
+    $token = new AccessToken();
+    $jwt = $token->verify($iap_jwt, [
+        'certsLocation' => AccessToken::IAP_CERT_URL
+    ]);
 
-    // Create a JWK Key Set from the gstatic URL
-    $jwkset = new KeySet();
-    $jwkset->load((string) $response->getBody());
-
-
-    // Validate the signature using the key set and ES256 algorithm.
-    try {
-        $jwt = JWT::decode($iap_jwt, $jwkset, 'ES256');
-    } catch (InvalidTokenException $e) {
-        return print("Failed to validate JWT: " . $e->getMessage() . PHP_EOL);
+    if (!$jwt) {
+        return print('Failed to validate JWT: Invalid JWT');
     }
+
     // Validate token by checking issuer and audience fields.
-    assert($jwt->getClaim('iss') == 'https://cloud.google.com/iap');
-    assert($jwt->getClaim('aud') == $expected_audience);
+    assert($jwt['iss'] == 'https://cloud.google.com/iap');
+    assert($jwt['aud'] == $expected_audience);
 
     // Return the user identity (subject and user email) if JWT verification is successful.
-    return array('sub' => $jwt->getClaim('sub'), 'email' => $jwt->getClaim('email'));
+    return array('sub' => $jwt['sub'], 'email' => $jwt['email']);
 }
 # [END iap_validate_jwt]