{"id":13541670,"url":"https://github.com/imkira/gcp-iap-auth","last_synced_at":"2026-01-22T10:39:26.275Z","repository":{"id":21688353,"uuid":"89563401","full_name":"imkira/gcp-iap-auth","owner":"imkira","description":"A simple server implementation and package in Go for helping you secure your web apps running on GCP behind a Cloud IAP (Identity-Aware Proxy)","archived":false,"fork":false,"pushed_at":"2025-03-21T22:42:13.000Z","size":119,"stargazers_count":88,"open_issues_count":6,"forks_count":32,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-04-02T09:40:58.434Z","etag":null,"topics":["auth","cloud","gcp","golang","google","iap","jwt","kubernetes","nginx","proxy"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/imkira.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-04-27T06:28:05.000Z","updated_at":"2025-03-13T12:32:34.000Z","dependencies_parsed_at":"2024-01-19T05:54:05.209Z","dependency_job_id":"f19586ee-5c29-4798-9acc-37e46ea56f71","html_url":"https://github.com/imkira/gcp-iap-auth","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/imkira/gcp-iap-auth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imkira%2Fgcp-iap-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imkira%2Fgcp-iap-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imkira%2Fgcp-iap-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imkira%2Fgcp-iap-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/imkira","download_url":"https://codeload.github.com/imkira/gcp-iap-auth/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imkira%2Fgcp-iap-auth/sbom","scorecard":{"id":485694,"data":{"date":"2025-08-11","repo":{"name":"github.com/imkira/gcp-iap-auth","commit":"30054d4874c0372fba3d2b798943b102bd165987"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.7,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":3,"reason":"Found 5/15 approved changesets -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating alpine:3.13.2 to alpine:3.13.2@sha256:a75afd8b57e7f34e4dad8d65e2c7ba2e1975c795ce1ee22fa34f8cf46f96a3be","Info:   0 out of   1 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.txt:0","Info: FSF or OSI recognized license: MIT License: LICENSE.txt:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.0.5 not signed: https://api.github.com/repos/imkira/gcp-iap-auth/releases/40086262","Warn: release artifact v0.0.3 not signed: https://api.github.com/repos/imkira/gcp-iap-auth/releases/6643885","Warn: release artifact v0.0.2 not signed: https://api.github.com/repos/imkira/gcp-iap-auth/releases/6642988","Warn: release artifact v0.0.1 not signed: https://api.github.com/repos/imkira/gcp-iap-auth/releases/6205059","Warn: release artifact v0.0.5 does not have provenance: https://api.github.com/repos/imkira/gcp-iap-auth/releases/40086262","Warn: release artifact v0.0.3 does not have provenance: https://api.github.com/repos/imkira/gcp-iap-auth/releases/6643885","Warn: release artifact v0.0.2 does not have provenance: https://api.github.com/repos/imkira/gcp-iap-auth/releases/6642988","Warn: release artifact v0.0.1 does not have provenance: https://api.github.com/repos/imkira/gcp-iap-auth/releases/6205059"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2020-0017 / GHSA-w73w-5m7g-f7qc"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 26 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-19T17:42:50.261Z","repository_id":21688353,"created_at":"2025-08-19T17:42:50.261Z","updated_at":"2025-08-19T17:42:50.261Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28661875,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-22T01:17:37.254Z","status":"online","status_checked_at":"2026-01-22T02:00:07.137Z","response_time":144,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth","cloud","gcp","golang","google","iap","jwt","kubernetes","nginx","proxy"],"created_at":"2024-08-01T10:00:54.142Z","updated_at":"2026-01-22T10:39:26.242Z","avatar_url":"https://github.com/imkira.png","language":"Go","funding_links":[],"categories":["Open Source Software"],"sub_categories":[],"readme":"# gcp-iap-auth\n\n[![License](http://img.shields.io/badge/license-MIT-red.svg?style=flat)](https://github.com/imkira/gcp-iap-auth/blob/master/LICENSE.txt)\n[![Build Status](http://img.shields.io/travis/imkira/gcp-iap-auth.svg?style=flat)](https://travis-ci.org/imkira/gcp-iap-auth)\n\n`gcp-iap-auth` is a simple server implementation and package in\n[Go](http://golang.org) for helping you secure your web apps running on GCP\nbehind a\n[Google Cloud Platform's IAP (Identity-Aware Proxy)](https://cloud.google.com/iap/docs/) by validating IAP signed headers in the requests.\n\n# Why\n\nValidating signed headers helps you protect your app from the following kinds of risks:\n\n- IAP is accidentally disabled;\n- Misconfigured firewalls;\n- Access from within the project.\n\n## How to use it as a package\n\n```go\ngo get -u github.com/imkira/gcp-iap-auth/jwt\n```\n\nThe following is just an excerpt of the provided [simple.go example](https://github.com/imkira/gcp-iap-auth/tree/master/examples):\n\n```go\n// Here we validate the tokens in all requests going to\n// our server at http://127.0.0.1:12345/auth\n// For valid tokens we return 200, otherwise 401.\nfunc AuthHandler(w http.ResponseWriter, req *http.Request) {\n\tif err := jwt.ValidateRequestClaims(req, cfg); err != nil {\n\t\tw.WriteHeader(http.StatusUnauthorized)\n\t} else {\n\t\tw.WriteHeader(http.StatusOK)\n\t}\n}\n```\n\nFor advanced usage, make sure to check the\n[available documentation here](http://godoc.org/github.com/imkira/gcp-iap-auth).\n\n## How to use it as a server\n\n[Binary Releases](https://github.com/imkira/gcp-iap-auth/releases) are provided for convenience.\n\nAfter downloading it, you can execute it like:\n\n```shell\ngcp-iap-auth --audiences=YOUR_AUDIENCE\n```\nConstruction of the `YOUR_AUDIENCE` string is covered [here](https://godoc.org/github.com/imkira/gcp-iap-auth/jwt#Audience)\n\nHTTPS is also supported. Just make sure you give it the cert/key files:\n\n```shell\ngcp-iap-auth --audiences=YOUR_AUDIENCE --tls-cert=PATH_TO_CERT_FILE --tls-key=PATH_TO_KEY_FILE\n```\n\nIt is also possible to use environment variables instead of flags.\nJust prepend `GCP_IAP_AUTH_` to the flag name (in CAPS and with `-` replaced by `_`) and you're good to go (eg: `GCP_IAP_AUTH_AUDIENCES` replaces `--audiences`)\n\nFor help, just check usage:\n\n```shell\ngcp-iap-auth --help\n```\n\n## How to use it as a reverse proxy\n\nIn this mode the `gcp-iap-auth` server runs as a proxy in front of another web\napp. The JWT header will be checked and requests with a valid header will be\npassed to the backend, while all other requests will return HTTP error 401.\n\n```shell\ngcp-iap-auth --audiences=YOUR_AUDIENCE --backend=http://localhost:8080\n```\n\nIn proxy mode you may optionally specify a header that will be filled with the\nvalidated email address from the JWT token. The value will _only_ contain the\nemail address, eg: `name@dom.tld`, unlike the `x-goog-authenticated-user-email`\nheader this does not contain a namespace prefix, making this approach suitable\nfor backend apps which only want an email address.\n\n```shell\ngcp-iap-auth --audiences=YOUR_AUDIENCE --backend=http://localhost:8080 --email-header=X-WEBAUTH-USER\n```\n\n## Integration with NGINX\n\nYou can also integrate `gcp-iap-auth` server with [NGINX](https://nginx.org)\nusing the\n[http_auth_request_module](https://nginx.org/en/docs/http/ngx_http_auth_request_module.html).\n\nThe important part is as follows ([full nginx.conf example file here](https://github.com/imkira/gcp-iap-auth/tree/master/examples)):\n\n```\n    upstream AUTH_SERVER_UPSTREAM {\n      server AUTH_SERVER_ADDR:AUTH_SERVER_PORT;\n    }\n\n    upstream APP_SERVER_UPSTREAM {\n      server APP_SERVER_ADDR:APP_SERVER_PORT;\n    }\n\n    server {\n      server_name APP_DOMAIN;\n\n      location = /gcp-iap-auth {\n          internal;\n          proxy_pass                 http://AUTH_SERVER_UPSTREAM/auth;\n          proxy_pass_request_body    off;\n          proxy_pass_request_headers off;\n          proxy_set_header           X-Goog-IAP-JWT-Assertion $http_x_goog_iap_jwt_assertion;\n      }\n\n      location / {\n        auth_request /gcp-iap-auth;\n        proxy_pass   http://APP_SERVER_UPSTREAM;\n      }\n    }\n```\n\nPlease note:\n\n- Replace `AUTH_SERVER_UPSTREAM`, `AUTH_SERVER_ADDR`, and `AUTH_SERVER_PORT` with the data about your `gcp-iap-auth` server.\n- Replace `APP_SERVER_UPSTREAM`, `APP_SERVER_ADDR`, and `APP_SERVER_PORT` with the data about your own web app server.\n- Replace `APP_DOMAIN` with the domain(s) you set up in your GCP IAP settings.\n- `gcp-iap-auth` only needs to receive the original `X-Goog-IAP-JWT-Assertion` header sent by Google, so you can and you are advised to disable proxying the original request body and other headers. Not only it is unecessary you may leak information you may not want to.\n- Please adjust appropriately (you may want to use HTTPS instead of HTTP, multiple domains, etc.). This example is just provided for reference.\n\n## Using it with Docker\n\n[Docker images](https://hub.docker.com/r/imkira/gcp-iap-auth/) are provided for convenience.\n\n```shell\ndocker run --rm -e GCP_IAP_AUTH_AUDIENCES=YOUR_AUDIENCE imkira/gcp-iap-auth\n```\n\nFor advanced usage, please read the instructions inside.\n\n## Using it with Kubernetes\n\n### As a reverse proxy\n\nA simple way to use it with\n[kubernetes](https://github.com/kubernetes/kubernetes) and without any other\ndependencies is to run it as a reverse proxy that validates and forwards\nrequests to a backend server.\n\n```yaml\n      - name: gcp-iap-auth\n        image: imkira/gcp-iap-auth:0.0.5\n        env:\n        - name: GCP_IAP_AUTH_AUDIENCES\n          value: \"YOUR_AUDIENCE\"\n        - name: GCP_IAP_AUTH_LISTEN_PORT\n          value: \"1080\"\n        - name: GCP_IAP_AUTH_BACKEND\n          value: \"http://YOUR_BACKEND_SERVER\"\n        ports:\n        - name: proxy\n          containerPort: 1080\n        readinessProbe:\n          httpGet:\n            path: /healthz\n            scheme: HTTP\n            port: proxy\n          periodSeconds: 1\n          timeoutSeconds: 1\n          successThreshold: 1\n          failureThreshold: 10\n        livenessProbe:\n          httpGet:\n            path: /healthz\n            scheme: HTTP\n            port: proxy\n          timeoutSeconds: 5\n          initialDelaySeconds: 10\n```\n\n### With NGINX\n\nYou can use it with [kubernetes](https://github.com/kubernetes/kubernetes) in\ndifferent ways, but I personally recommend running it as a\n[sidecar container](http://blog.kubernetes.io/2015/06/the-distributed-system-toolkit-patterns.html) by adding it to, say, an existing NGINX container:\n\n```yaml\n      - name: nginx\n      # your nginx container should go here...\n      - name: gcp-iap-auth\n        image: imkira/gcp-iap-auth:0.0.5\n        env:\n        - name: GCP_IAP_AUTH_AUDIENCES\n          value: \"YOUR_AUDIENCE\"\n        - name: GCP_IAP_AUTH_LISTEN_PORT\n          value: \"1080\"\n        ports:\n        - name: auth\n          containerPort: 1080\n        readinessProbe:\n          httpGet:\n            path: /healthz\n            scheme: HTTP\n            port: auth\n          periodSeconds: 1\n          timeoutSeconds: 1\n          successThreshold: 1\n          failureThreshold: 10\n        livenessProbe:\n          httpGet:\n            path: /healthz\n            scheme: HTTP\n            port: auth\n          timeoutSeconds: 5\n          initialDelaySeconds: 10\n```\n\n### Notes\n\nTo use HTTPS just make sure:\n- You set up `GCP_IAP_AUTH_TLS_CERT=/path/to/tls_cert_file` and `GCP_IAP_AUTH_TLS_KEY=/path/to/tls_key_file` environment variables.\n- You set up volumes for [secrets](https://kubernetes.io/docs/concepts/configuration/secret/) in kubernetes so it knows where to find them.\n- Change the scheme in readiness and liveness probes to `HTTPS`.\n- Adjust your nginx.conf as necessary to proxy pass the auth requests to gcp-iap-auth as HTTPS.\n\n## License\n\ngcp-iap-auth is licensed under the MIT license:\n\nwww.opensource.org/licenses/MIT\n\n## Copyright\n\nCopyright (c) 2017 Mario Freitas. See\n[LICENSE](https://github.com/imkira/gcp-iap-auth/blob/master/LICENSE.txt)\nfor further details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fimkira%2Fgcp-iap-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fimkira%2Fgcp-iap-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fimkira%2Fgcp-iap-auth/lists"}