IAP JWT

Validate and decode Google Cloud Identity-Aware Proxy (IAP) JWTs

Features

• Validate and decode JWTs issued by Google IAP https://cloud.google.com/iap/docs/signed-headers-howto
• Verify JWT signature using public keys from Google retrieved from the JWKS endpoint
• Validate standard claims like exp, iat, aud, iss
• Validate Google-specific claims like hd (hosted domain) and access levels
• Injectable public key retrieval and caching for testability
• Customizable validation options

Installation

cargo add iap-jwt

Two crypto backends are available via features, aws_lc_rs and rust_crypto (default), exactly one of which must be enabled.

To use aws_lc_rs instead:

cargo add iap-jwt --no-default-features --features reqwest,aws_lc_rs

Usage

use iap_jwt::{ValidationConfig};

let token = "..."; // JWT token from IAP

// reqwest Client implements iap_jwt::PublicKeySource with `reqwest` feature enabled (enabled by default)
let client = reqwest::Client::new();

let config = ValidationConfig::new(["/projects/1234567890/global/backendServices/test-service-id"])
    .with_google_hosted_domain(["example.com"])
    .with_access_levels(["ADMIN"]);

let claims = config.decode_and_validate(token, &client).await?;

println!("Authenticated user: {}", claims.sub);

License

This project is licensed under either of the following licenses, at your option:

• Apache-2.0
• MIT