New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement IAP/JWT client #149

Closed
nohn opened this Issue May 16, 2017 · 15 comments

Comments

Projects
None yet
4 participants
@nohn

nohn commented May 16, 2017

Please implement the functionality required to connect to IAP protected services like in the Python Auth Client: https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/iap/make_iap_request.py

@bshaffer

This comment has been minimized.

Show comment
Hide comment
@bshaffer

bshaffer Aug 14, 2017

Contributor

@nohn Can you explain what the missing auth is?

Contributor

bshaffer commented Aug 14, 2017

@nohn Can you explain what the missing auth is?

@nohn

This comment has been minimized.

Show comment
Hide comment
@nohn

nohn Aug 15, 2017

The basic documentation is on https://cloud.google.com/iap/docs/authentication-howto. There a bit more on https://cloudplatform.googleblog.com/2017/04/Getting-started-with-Cloud-Identity-Aware-Proxy.html. It seems like at least the target_audience claim is missing, but I'm not sure, if that's all.

nohn commented Aug 15, 2017

The basic documentation is on https://cloud.google.com/iap/docs/authentication-howto. There a bit more on https://cloudplatform.googleblog.com/2017/04/Getting-started-with-Cloud-Identity-Aware-Proxy.html. It seems like at least the target_audience claim is missing, but I'm not sure, if that's all.

@b4b4r07

This comment has been minimized.

Show comment
Hide comment
@b4b4r07

b4b4r07 commented Sep 25, 2017

+1

@bshaffer

This comment has been minimized.

Show comment
Hide comment
@bshaffer

bshaffer Sep 25, 2017

Contributor

We are working on this! cc @ryanmats

Contributor

bshaffer commented Sep 25, 2017

We are working on this! cc @ryanmats

@b4b4r07

This comment has been minimized.

Show comment
Hide comment
@b4b4r07

b4b4r07 Sep 28, 2017

When will it be implemented?

b4b4r07 commented Sep 28, 2017

When will it be implemented?

@bshaffer

This comment has been minimized.

Show comment
Hide comment
@bshaffer

bshaffer Sep 28, 2017

Contributor

@b4b4r07 Is the request to support the field target_audience in the JWT payload? I haven't tested it out, but it may be possible through something like this: https://gist.github.com/bshaffer/35fc2fb65df200c5e3a201c70c466c8b

Contributor

bshaffer commented Sep 28, 2017

@b4b4r07 Is the request to support the field target_audience in the JWT payload? I haven't tested it out, but it may be possible through something like this: https://gist.github.com/bshaffer/35fc2fb65df200c5e3a201c70c466c8b

@b4b4r07

This comment has been minimized.

Show comment
Hide comment
@b4b4r07

b4b4r07 Sep 29, 2017

Thank you. Does that script really work? I tried but I got an error. As far as I can see, making IAP request needs to refresh token. However that script doesn't do that.

b4b4r07 commented Sep 29, 2017

Thank you. Does that script really work? I tried but I got an error. As far as I can see, making IAP request needs to refresh token. However that script doesn't do that.

@bshaffer

This comment has been minimized.

Show comment
Hide comment
@bshaffer

bshaffer Sep 29, 2017

Contributor

It won't work until #171 is merged, and then you will be able to do the following:

$oauth->setAdditionalClaims([
    'target_audience' => $clientID,
]);

I've updated the sample to reflect this, but if you could pull down the branch and test, that would be awesome! You can do so by changing composer.json to look something like this (and then running composer update):

{
    "require": {
        "google/auth": "dev-additional-claims as v1.0.1"
    }
}
Contributor

bshaffer commented Sep 29, 2017

It won't work until #171 is merged, and then you will be able to do the following:

$oauth->setAdditionalClaims([
    'target_audience' => $clientID,
]);

I've updated the sample to reflect this, but if you could pull down the branch and test, that would be awesome! You can do so by changing composer.json to look something like this (and then running composer update):

{
    "require": {
        "google/auth": "dev-additional-claims as v1.0.1"
    }
}
@bshaffer

This comment has been minimized.

Show comment
Hide comment
@bshaffer

bshaffer Oct 3, 2017

Contributor

If someone on this thread could confirm this change to the auth library enables a successful IAP call, I will get the change merged and a new version tagged.

Contributor

bshaffer commented Oct 3, 2017

If someone on this thread could confirm this change to the auth library enables a successful IAP call, I will get the change merged and a new version tagged.

@nohn

This comment has been minimized.

Show comment
Hide comment
@nohn

nohn Oct 4, 2017

$ php test.php
PHP Fatal error:  Uncaught Error: Class 'Google\Auth\OAuth2' not found in /home/project/iaphp/test.php:18
Stack trace:
#0 {main}
  thrown in /home/project/iaphp/test.php on line 18
$ cat composer.json
{
    "required": {
        "google/auth": "dev-additional-claims as v1.0.1"
    },
    "require": {
        "google/auth": "dev-additional-claims as v1.0.1"
    }
}

nohn commented Oct 4, 2017

$ php test.php
PHP Fatal error:  Uncaught Error: Class 'Google\Auth\OAuth2' not found in /home/project/iaphp/test.php:18
Stack trace:
#0 {main}
  thrown in /home/project/iaphp/test.php on line 18
$ cat composer.json
{
    "required": {
        "google/auth": "dev-additional-claims as v1.0.1"
    },
    "require": {
        "google/auth": "dev-additional-claims as v1.0.1"
    }
}

@bshaffer

This comment has been minimized.

Show comment
Hide comment
@bshaffer

bshaffer Oct 4, 2017

Contributor

@nohn you are getting an autoload error. Presumably composer is not set up properly.

Contributor

bshaffer commented Oct 4, 2017

@nohn you are getting an autoload error. Presumably composer is not set up properly.

@bshaffer

This comment has been minimized.

Show comment
Hide comment
@bshaffer

bshaffer Oct 9, 2017

Contributor

@nohn also, composer should use "require" and not "required".

Contributor

bshaffer commented Oct 9, 2017

@nohn also, composer should use "require" and not "required".

@nohn

This comment has been minimized.

Show comment
Hide comment
@nohn

nohn Oct 10, 2017

  1. Composer is latest stable (1.5.2)
  2. Install is clean
$ composer self-update
You are already using composer version 1.5.2 (stable channel).
$ cat > composer.json 
{
    "require": {
        "google/auth": "dev-additional-claims as v1.0.1"
    }
}
$ composer update
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 7 installs, 0 updates, 0 removals
  - Installing psr/cache (1.0.1): Loading from cache
  - Installing psr/http-message (1.0.1): Loading from cache
  - Installing guzzlehttp/psr7 (1.4.2): Loading from cache
  - Installing guzzlehttp/promises (v1.3.1): Loading from cache
  - Installing guzzlehttp/guzzle (6.3.0): Loading from cache
  - Installing firebase/php-jwt (v5.0.0): Loading from cache
  - Installing google/auth (dev-additional-claims 82c081a): Cloning 82c081a6fd from cache
guzzlehttp/guzzle suggests installing psr/log (Required for using the Log middleware)
Writing lock file
Generating autoload files
$ php test.php
PHP Fatal error:  Uncaught Error: Class 'Google\Auth\OAuth2' not found in /home/project/iap-php/test.php:18
Stack trace:
#0 {main}
  thrown in /home/project/iap-php/test.php on line 18

nohn commented Oct 10, 2017

  1. Composer is latest stable (1.5.2)
  2. Install is clean
$ composer self-update
You are already using composer version 1.5.2 (stable channel).
$ cat > composer.json 
{
    "require": {
        "google/auth": "dev-additional-claims as v1.0.1"
    }
}
$ composer update
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 7 installs, 0 updates, 0 removals
  - Installing psr/cache (1.0.1): Loading from cache
  - Installing psr/http-message (1.0.1): Loading from cache
  - Installing guzzlehttp/psr7 (1.4.2): Loading from cache
  - Installing guzzlehttp/promises (v1.3.1): Loading from cache
  - Installing guzzlehttp/guzzle (6.3.0): Loading from cache
  - Installing firebase/php-jwt (v5.0.0): Loading from cache
  - Installing google/auth (dev-additional-claims 82c081a): Cloning 82c081a6fd from cache
guzzlehttp/guzzle suggests installing psr/log (Required for using the Log middleware)
Writing lock file
Generating autoload files
$ php test.php
PHP Fatal error:  Uncaught Error: Class 'Google\Auth\OAuth2' not found in /home/project/iap-php/test.php:18
Stack trace:
#0 {main}
  thrown in /home/project/iap-php/test.php on line 18
@ryanmats

This comment has been minimized.

Show comment
Hide comment
@ryanmats

ryanmats Oct 10, 2017

Hi all.
I have confirmed that @bshaffer 's fix to google-auth-library-php enables a successful IAP call.

Here is a code snippet that I have tested and works.

Make sure to add "google/auth":"dev-additional-claims as v1.0.1" to the require section of your composer.json file before running this. Also make sure to visit https://console.cloud.google.com/iam-admin/iap/ and enable IAP for an application of your choice and give your Service Account key access to this newly protected site. Fetch your client ID by clicking on the ellipses button next to your App Engine app listing on the IAP page and clicking 'Edit OAuth client.'

We will be adding this code sample to https://github.com/GoogleCloudPlatform/php-docs-samples soon.

ryanmats commented Oct 10, 2017

Hi all.
I have confirmed that @bshaffer 's fix to google-auth-library-php enables a successful IAP call.

Here is a code snippet that I have tested and works.

Make sure to add "google/auth":"dev-additional-claims as v1.0.1" to the require section of your composer.json file before running this. Also make sure to visit https://console.cloud.google.com/iam-admin/iap/ and enable IAP for an application of your choice and give your Service Account key access to this newly protected site. Fetch your client ID by clicking on the ellipses button next to your App Engine app listing on the IAP page and clicking 'Edit OAuth client.'

We will be adding this code sample to https://github.com/GoogleCloudPlatform/php-docs-samples soon.

@bshaffer bshaffer closed this Oct 23, 2017

@bshaffer

This comment has been minimized.

Show comment
Hide comment
@bshaffer

bshaffer Oct 23, 2017

Contributor

@nohn you need to include the autoloader at the top of test.php

require __DIR__ . '/vendor/autoload.php';
Contributor

bshaffer commented Oct 23, 2017

@nohn you need to include the autoloader at the top of test.php

require __DIR__ . '/vendor/autoload.php';
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment