jwtquarkusgoogle-cloud-identity-aware-proxy

Quarkus SmallRye JWT GCP Identity Aware Proxy (IAP) integration


I am trying to figure out, how Quarkus SmallRye JWT (https://quarkus.io/guides/security-jwt) could work together with GCP's Identity Aware Proxy (https://cloud.google.com/iap/docs/signed-headers-howto?hl=de#securing_iap_headers).

The GCP Loadbalancer forwards the JWT in the header x-goog-iap-jwt-assertion.

How could I configure SmallRye JWT to pick up the right header without the 'Bearer' scheme and to use the public key provided here https://www.gstatic.com/iap/verify/public_key?

I tried something like

mp.jwt.verify.publickey=MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE43cTT9GWJlLTzgB...
quarkus.smallrye-jwt.enabled=true
mp.jwt.token.header=x-goog-iap-jwt-assertion

but I always get back

* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< www-authenticate: Bearer
< content-length: 0

Solution

  • The following worked:

    mp.jwt.verify.publickey.location=https://www.gstatic.com/iap/verify/public_key-jwk
    mp.jwt.verify.publickey.algorithm=ES256
    mp.jwt.verify.issuer=https://cloud.google.com/iap
    mp.jwt.verify.audiences=/projects/xxxxx/global/backendServices/xxxxxx
    mp.jwt.token.header=x-goog-iap-jwt-assertion
    

    Notice algorithm=ES256