Documentation
¶
Overview ¶
Package iap provides HTTP middleware for Google Cloud's Identity-Aware Proxy. See https://cloud.google.com/iap/docs/concepts-overview
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Email ¶
Email returns the email address of the user logged in via IAP, or panics. The request must have been served by the HTTP middleware returned by Required.
func Required ¶
Required ensures requests are authenticated with Google's Identity-Aware Proxy. It returns a handler that returns an HTTP 403 Forbidden error to any request that does not have a valid header, or if any error occurs while trying to validate the signed header. This function is sufficient for most services, but you need to use RequiredWithExceptions for Kubernetes.
The audience must not be empty or Required will panic. For possible values for audience, see: https://cloud.google.com/iap/docs/signed-headers-howto#verify_the_jwt_payload
func RequiredWithExceptions ¶
func RequiredWithExceptions(audience string, handler http.Handler, exceptions []string) http.Handler
RequiredWithExceptions ensures requests are authenticated with Google's Identity-Aware Proxy, except for some paths which are public. The paths passed as exceptions will be public and not require authentication. Unlike the http package's mux, these paths are matched exactly.
Most applications should use Required, but when using IAP with Kubernetes, you will need to make your service's health check public by passing the appropriate path as an exception (e.g. "/health").
Types ¶
This section is empty.