Handle updated JWT header sent by Google

[abstrctn]

Google is changing the header name containing the JWT from X-Goog-Authenticated-User-JWT to X-Goog-IAP-JWT-Assertion. According to a support email that doesn't appear to be online, the old header will no longer be sent as of November 15th, 2017.

The JWT sent in the new header also changes the value of aud within the token. It is no longer a URL, but one of two values depending on the type of app:

• App Engine: /projects/PROJECT_NUMBER/apps/PROJECT_ID
• Compute Engine and Container Engine: /projects/PROJECT_NUMBER/global/backendServices/SERVICE_ID

This PR changes the header to the new value, and treats the audience as a simple string that can be matched against, instead of a URL.

Maybe a better path to go down would be configuring the project id / number / service id as individual configuration parameters? Though I like the original flexibility of using regular expressions.

[erikgrinaker]

I suspect Google have now disabled the old header, since gcp-iap-auth suddenly stopped working for us today, giving the following error:

Failed to authenticate (Token was not found in the request headers)

I'm not able to build this PR (./config.go:102:54: cannot convert *aud (type "github.com/imkira/gcp-iap-auth/jwt".Audience) to type string), but I'll try to fix and test it.

[erikgrinaker]

Got it built, can confirm that this solves the issue. 👍

[tonglil]

Any updates @abstrctn / @imkira ?

[imkira]

@erikgrinaker thanks. Did you need anything to fix the PR or were you able to use it as is?

@abstrctn @tonglil and @erikgrinaker anyone interested in addressing my comments for the PR (creating another PR if necessary)?

[erikgrinaker]

@imkira We're running this PR as is, it seems to work fine. I could take a stab at fixing the issues you mentioned, but I'll be travelling for the next few weeks - maybe when I'm back.