search

imkira / gcp-iap-auth

A simple server implementation and package in Go for helping you secure your web apps running on GCP behind a Cloud IAP (Identity-Aware Proxy)
MIT License
87 stars 31 forks source link

No public key #10

Open RadekDvorak opened 5 years ago

RadekDvorak commented 5 years ago

Hi,

my instance of gcp-iap-proxy stopped working. All authentications failed and log was full of Failed to authenticate "user@domain.tld" (No public key for "2nMJtw"). Restart solved the issue.

I guess that public keys are loaded once when process starts. If Google changes them, restart is necessary.

filip-sc commented 5 years ago

Hi RadekDvorak, as far as I understood it is up to you where you want to place the fetchPublic keys method. If you don't place it in the init() of your app but instead for example in the http handler you will solve this issue. This way you will fetch the keys every time a request comes in (to minimise traffic caching could be an option but not necessary)

RadekDvorak commented 5 years ago

Hi filip-sc,

thank you for the advice. However I do not have my app, I am not a go developer, I use gcp-iap-auth to validate signatures with nginx. Even if this issue is left open, at least it serves as an warning for people using the proxy the way I do.

mellowplace commented 4 years ago

Can confirm, you just saved me a lot of time :-)

imkira commented 3 years ago

Sorry for the delay @RadekDvorak . I think the one possible approach here is to periodically reload whatever public keys were supplied (from file or URL).

@RadekDvorak Just for my reference how much time does it take from startup to error?

RadekDvorak commented 3 years ago

Hi @imkira ,

I recall the issue happened once a month on average. I left the project, I can not get the exact numbers anymore.

gfrankliu commented 3 years ago

Based on the discussion here, the key expiration may be infrequent, but IAP engineer suggested refresh the keyfile on lookup failure approach. This shouldn't be a significant source of load compared to doing it on every HTTP request as suggested by @filip-sc above. It will also be much more reliable than only doing it in init().

gfrankliu commented 1 year ago

Can we get this merged?

gfrankliu commented 1 year ago

Looks like @imkira 's suggestion of reloading periodically is a better idea. 

curl -I https://www.gstatic.com/iap/verify/public_key-jwk
HTTP/2 200 
accept-ranges: bytes
content-security-policy: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cloud-gatekeeper-team
cross-origin-resource-policy: cross-origin
cross-origin-opener-policy: same-origin; report-to="cloud-gatekeeper-team"
report-to: {"group":"cloud-gatekeeper-team","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cloud-gatekeeper-team"}]}
content-length: 1352
x-content-type-options: nosniff
server: sffe
x-xss-protection: 0
date: Fri, 28 Jul 2023 16:33:46 GMT
expires: Fri, 28 Jul 2023 17:23:46 GMT
cache-control: public, max-age=3000
last-modified: Fri, 28 Jul 2023 13:40:55 GMT
content-type: application/json
vary: Accept-Encoding
age: 0
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

The expires and cache-control response headers indicate the key should only be cached for 50min.