README
¶
IAP Auth Client Library for Go
This library resolves conflicts when using Identity-Aware Proxy (IAP) alongside additional layers of authentication. By default, IAP uses the Authorization header for its tokens (source: googleapis/google-cloud-go), potentially causing issues with secondary authentication layers that tend to use the same header. This solution moves IAP tokens to the Proxy-Authorization header, enabling seamless interaction with both IAP and additional authentication layers. Users can now set the Authorization header with credentials for the secondary layer.
It provides two main functionalities:
- Creates a new HTTP client with IAP authorization moved to proper header.
- Updates an existing HTTP client's transport with proper IAP header.
Installation
Just import it it as any other library
Usage
Caution: Ensure this code runs in an environment with a Service Account (SA) capable of IAP authentication. It relies on standard Google credential sources, seamlessly obtaining credentials within the appropriate setup.
Create new client:
package main
import (
"context"
"fmt"
"net/http"
"github.com/MytkoEnko/iap-proxy-auth"
)
func main() {
// Context is requird
ctx := context.Background()
// IAP client ID of the resource is required
iapID := "123456789012-abc123def456ghijklmnopqrstuvwxyz.apps.googleusercontent.com"
// Create an HTTP client with proxied IAP headers.
client := proxiap.NewIapClient(ctx, iapID)
// Make a sample request to a resource protected by IAP
req, err := http.NewRequestWithContext(ctx, "GET", "https://example.com/protected/resource", nil)
if err != nil {
fmt.Printf("Error creating request: %v\n", err)
return
}
// Add any necessary headers for your second layer authentication
req.Header.Set("Authorization", "Bearer your_second_layer_token")
// Send the request
resp, err := client.Do(req)
// Use your client ...
}
Update existing client:
package main
import (
"context"
"net/http"
"github.com/MytkoEnko/iap-proxy-auth"
)
func main() {
// Context is requird
ctx := context.Background()
// IAP client ID of the resource is required
iapID := "123456789012-abc123def456ghijklmnopqrstuvwxyz.apps.googleusercontent.com"
// Create a new http.Client
client := &http.Client{}
// Update cient's transport with proxiap.SetIapTransport()
proxiap.SetIapTransport(ctx, iapID, *client)
// Use your client ...
}
Documentation
¶
Overview ¶
Package proxiap provides methods and structs to handle authentication to resources behind Google's Identity-Aware Proxy (IAP).
Package proxiap provides methods and structs to handle authentication to resources behind Google's Identity-Aware Proxy (IAP).
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewIapClient ¶
NewIapClient returns a new http.Client with a Transport that handles IAP authentication. If iapId is empty, it returns nil.
func SetIapTransport ¶
SetIapTransport replaces http.Transport in the provided http.Client with a one that will handle authentication behind IAP. If iapId is empty, it returns the same clie
func TokensourceInit ¶
func TokensourceInit(ctx context.Context, audience string, opts ...option.ClientOption) oauth2.TokenSource
TokensourceInit initializes a new TokenSource using the provided audience and client options. It panics if it encounters an error during initialization.
Types ¶
type IapAuthTransport ¶
type IapAuthTransport struct {
Transport http.RoundTripper
Tokensource oauth2.TokenSource
CurrentToken oauth2.Token
}
IapAuthTransport is a custom http.RoundTripper that adds IAP authentication to the http.Requests. It assumes a default service account with permission to access the resource.
Source Files