I am trying to figure out, how Quarkus SmallRye JWT (https://quarkus.io/guides/security-jwt) could work together with GCP's Identity Aware Proxy (https://cloud.google.com/iap/docs/signed-headers-howto?hl=de#securing_iap_headers).
The GCP Loadbalancer forwards the JWT in the header x-goog-iap-jwt-assertion
.
How could I configure SmallRye JWT to pick up the right header without the 'Bearer' scheme and to use the public key provided here https://www.gstatic.com/iap/verify/public_key?
I tried something like
mp.jwt.verify.publickey=MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE43cTT9GWJlLTzgB...
quarkus.smallrye-jwt.enabled=true
mp.jwt.token.header=x-goog-iap-jwt-assertion
but I always get back
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< www-authenticate: Bearer
< content-length: 0
The following worked:
mp.jwt.verify.publickey.location=https://www.gstatic.com/iap/verify/public_key-jwk
mp.jwt.verify.publickey.algorithm=ES256
mp.jwt.verify.issuer=https://cloud.google.com/iap
mp.jwt.verify.audiences=/projects/xxxxx/global/backendServices/xxxxxx
mp.jwt.token.header=x-goog-iap-jwt-assertion
Notice algorithm=ES256