https://github.com/realkinetic/gcp-spring-oidc

Spring RestTemplate interceptor which can make authenticated requests to GCP Identity-Aware Proxy using a service account
https://github.com/realkinetic/gcp-spring-oidc

authentication gcp gcp-iap oauth2 oidc openid-connect resttemplate spring

Last synced: 2 months ago
JSON representation

Spring RestTemplate interceptor which can make authenticated requests to GCP Identity-Aware Proxy using a service account

• Host: GitHub
• URL: https://github.com/realkinetic/gcp-spring-oidc
• Owner: RealKinetic
• License: apache-2.0
• Created: 2019-01-15T06:53:07.000Z (over 6 years ago)
• Default Branch: master
• Last Pushed: 2019-04-24T02:22:16.000Z (over 6 years ago)
• Last Synced: 2025-08-08T15:57:04.107Z (2 months ago)
• Topics: authentication, gcp, gcp-iap, oauth2, oidc, openid-connect, resttemplate, spring
• Language: Java
• Homepage:
• Size: 12.7 KB
• Stars: 4
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# gcp-spring-oidc

This contains a Spring `RestTemplate` interceptor which can make HTTP requests to Google

OIDC-authenticated resources using a service account. For example, this can be used to

make requests to resources behind an [Identity-Aware Proxy (IAP)](https://cloud.google.com/iap).

This works by generating a JWT with an additional `target_audience` claim set to the

OAuth2 client id which is signed using the GCP service account credentials. This JWT is

then exchanged for a Google-signed OIDC token for the client id specified in the JWT

claims. Authenticated requests are made by setting the token in the `Authorization: Bearer`

header. This token has roughly a 1-hour expiration and is renewed transparently by the

interceptor.

More information on the implementation flow can be found in the

[GCP documentation](https://cloud.google.com/iap/docs/authentication-howto) for IAP.

## Usage

It is recommended to use a singleton instance of `GCPAuthenticationInterceptor` since it

will cache the OIDC token used for authentication and only renew once the token has

expired.

```java

private static final String CLIENT_ID = ".apps.googleusercontent.com";

private RestTemplate restTemplate;

private synchronized RestTemplate restTemplate() throws IOException {

    if (restTemplate != null) {

        return restTemplate;

    }

    restTemplate = new RestTemplate();

    List interceptors = restTemplate.getInterceptors();

    if (CollectionUtils.isEmpty(interceptors)) {

        interceptors = new ArrayList<>();

    }

    interceptors.add(new GCPAuthenticationInterceptor(CLIENT_ID));

    restTemplate.setInterceptors(interceptors);

    return restTemplate;

}

```