Validate IAP-issued JWT, to be used with nginx auth_request.

Usage of ./iap-token-validator:
  -audience string
        the JWT audience
  -listen string
        listen address (default ":8080")
  -skew int
        the acceptable skew in seconds
        enable verbose logging


Because https://github.com/imkira/gcp-iap-auth is not longer maintained, uses old libraries with known security flaws, doesn’t handle update to the key set properly, doesn’t allow for clock skew tolerence and seems a bit complicated for the dead simple task it has to do (in our case).

Usage (docker)



docker pull ghcr.io/gammadia/iap-token-validator:$TAG
docker rm -f iap-token-validator
docker run -d --name iap-token-validator --restart=unless-stopped \
  -p \
  ghcr.io/gammadia/iap-token-validator:$TAG \
    -audience /projects/.../global/backendServices/... \
    -skew 15 \
    -listen :80

Nginx configuration

server {
    listen 443 ssl http2;
    auth_request /iap-token-validator;

    location = /iap-token-validator {
        proxy_pass        ;
        proxy_pass_request_body     off;
        proxy_pass_request_headers  off;
        proxy_set_header            X-Goog-IAP-JWT-Assertion $http_x_goog_iap_jwt_assertion;


View Github