fixes IAP validation (GoogleCloudPlatform#900)

bshaffer · web-flow · commit a9337ddfb19c · 2019-05-28T15:40:58.000-07:00
diff --git a/iap/composer.json b/iap/composer.json
@@ -2,7 +2,8 @@
     "require": {
         "symfony/console": "^2.8",
         "google/auth":"^1.2",
-        "spomky-labs/jose": "^6.1|^7.0"
+        "guzzlehttp/guzzle": "^6.3",
+        "kelvinmo/simplejwt": "^0.2.4"
     },
     "autoload": {
         "psr-4": {
diff --git a/iap/src/validate_jwt.php b/iap/src/validate_jwt.php
@@ -24,8 +24,11 @@
 namespace Google\Cloud\Samples\Iap;
 
 # Imports OAuth Guzzle HTTP libraries.
-use Jose\Factory\JWKFactory;
-use Jose\Loader;
+use GuzzleHttp\Client;
+# Imports libraries for JWK validation
+use SimpleJWT\JWT;
+use SimpleJWT\Keys\KeySet;
+use SimpleJWT\InvalidTokenException;
 
 /**
  * Validate a JWT passed to your App Engine app by Identity-Aware Proxy.
@@ -74,22 +77,26 @@ function validate_jwt_from_compute_engine($iap_jwt, $cloud_project_number, $back
 
 function validate_jwt($iap_jwt, $expected_audience)
 {
+    // get the public key JWK Set object (RFC7517)
+    $httpclient = new Client();
+    $response = $httpclient->request('GET', 'https://www.gstatic.com/iap/verify/public_key-jwk', []);
+
     // Create a JWK Key Set from the gstatic URL
-    $jwk_set = JWKFactory::createFromJKU('https://www.gstatic.com/iap/verify/public_key-jwk');
+    $jwkset = new KeySet();
+    $jwkset->load((string) $response->getBody());
 
-    // Validate the signature using the key set and ES256 algorithm.
-    $loader = new Loader();
-    $jws = $loader->loadAndVerifySignatureUsingKeySet(
-        $iap_jwt,
-        $jwk_set,
-        ['ES256']
-    );
 
+    // Validate the signature using the key set and ES256 algorithm.
+    try {
+        $jwt = JWT::decode($iap_jwt, $jwkset, 'ES256');
+    } catch (InvalidTokenException $e) {
+        return print("Failed to validate JWT: " . $e->getMessage() . PHP_EOL);
+    }
     // Validate token by checking issuer and audience fields.
-    assert($jws->getClaim('iss') == 'https://cloud.google.com/iap');
-    assert($jws->getClaim('aud') == $expected_audience);
+    assert($jwt->getClaim('iss') == 'https://cloud.google.com/iap');
+    assert($jwt->getClaim('aud') == $expected_audience);
 
     // Return the user identity (subject and user email) if JWT verification is successful.
-    return array('sub' => $jws->getClaim('sub'), 'email' => $jws->getClaim('email'));
+    return array('sub' => $jwt->getClaim('sub'), 'email' => $jwt->getClaim('email'));
 }
 # [END iap_validate_jwt]
diff --git a/iap/test/iapTest.php b/iap/test/iapTest.php
@@ -14,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-namespace Google\Cloud\Samples\Iap\Tests;
+namespace Google\Cloud\Samples\Iap;
 
 use Symfony\Component\Console\Tester\CommandTester;
 
@@ -44,6 +44,12 @@ public function testRequest()
         $this->assertContains('x-goog-authenticated-user-jwt:', $output);
     }
 
+    public function testInvalidJwt()
+    {
+        validate_jwt('fake_jwt', 'fake_expected_audience');
+        $this->expectOutputRegex('/Failed to validate JWT:/');
+    }
+
     public function testValidate()
     {
         if (version_compare(PHP_VERSION, '7.2.0') === 1) {
