verify incoming id token for API backends
- Feb 06, 2024
-
-
Dr Rich Wareham authored
Rename the variable to _DEFAULT_EXPECTED_AUTHORISED_PARTIES which better reflects its actual meaning.
-
Dr Rich Wareham authored
Rather than having Django settings be strings which are parsed, have them be actual lists like they should be.
e431de6e -
Dr Rich Wareham authored
Change the enforcement setting's semantics. Now the incoming token is *always* verified but only a warning is printed to the logs unless API_GATEWAY_AUTH_ENFORCE_IF_TOKEN_VERIFICATION is True.
5259d6f9
-
- Jan 30, 2024
-
-
Dr Rich Wareham authored
-
- Oct 17, 2023
-
-
Dr Rich Wareham authored
-
Dr Rich Wareham authored67501bac
-
Dr Rich Wareham authored
Add verification for the Authorization header for incoming requests. The defaults are to verify that the request is appropriately authenticated with a Google service account corresponding to the API Gateway. Expected issuer, authorised parties, issuer certificate URLs, etc can be customised via settings. This is unlikely to be used in production but is useful when combined with the API Gateway emulator for local development. Verification can be disabled entirely by setting an appropriately dire-named setting. Tests have been updated to exercise verification assuming that the Google verification library works as documented. Closes #4
e7255d7c
-