Skip to content

Instantly share code, notes, and snippets.

@holysugar

holysugar/iap-trial.rb

Last active July 12, 2017 05:48
Show Gist options
  • Save holysugar/b4997021adfb1d5c534e12b4242ff641 to your computer and use it in GitHub Desktop.
Save holysugar/b4997021adfb1d5c534e12b4242ff641 to your computer and use it in GitHub Desktop.
Download ZIP
identity-aware proxy (IAP) trial code
Raw
iap-trial.rb
require 'sinatra'
require 'jwt'
require 'json'
def get_iap_key(kid)
@key_table ||= begin
require 'open-uri'
resp = open('https://www.gstatic.com/iap/verify/public_key', &:read)
JSON.parse(resp)
end
@key_table[kid]
end
get '/' do
jwt = request.env['HTTP_X_GOOG_AUTHENTICATED_USER_JWT']
url = 'https://example.com' # FIXME
unless jwt
return ''
end
_, unverified_header = JWT.decode(jwt, nil, false)
kid = unverified_header['kid']
key = get_iap_key(kid)
pubkey = OpenSSL::PKey::EC.new key
payload, header = JWT.decode(jwt, pubkey, true, { verify_aud: true, algorithm: 'ES256', aud: url })
p payload, header
content_type 'text/plain'
return <<-EOD
Verified Email: #{payload['email']}
Verified User ID: #{payload['sub']}
-- request.env --
#{request.env.map{|k,v| "#{k}: #{v}" }.join("\n")}
EOD
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment