FAQ | This is a LIVE service | Changelog

Skip to content
Snippets Groups Projects

verify incoming id token for API backends

Merged Dr Rich Wareham requested to merge issue-4-validate-gateway-token into main
  1. Feb 06, 2024
  2. Jan 30, 2024
  3. Oct 17, 2023
    • Dr Rich Wareham's avatar
      f39fa10c
    • Dr Rich Wareham's avatar
    • Dr Rich Wareham's avatar
      feat: verify API Gateway id token in request · e7255d7c
      Dr Rich Wareham authored
      Add verification for the Authorization header for incoming requests. The
      defaults are to verify that the request is appropriately authenticated
      with a Google service account corresponding to the API Gateway.
      
      Expected issuer, authorised parties, issuer certificate URLs, etc can be
      customised via settings. This is unlikely to be used in production but
      is useful when combined with the API Gateway emulator for local
      development.
      
      Verification can be disabled entirely by setting an appropriately
      dire-named setting.
      
      Tests have been updated to exercise verification assuming that the
      Google verification library works as documented.
      
      Closes #4
      e7255d7c
Loading