Displays GCP Identity-Aware Proxy headers and JWT for inspection.
iapheaders is a web application that allows you to inspect request headers for testing and understanding GCP's Identity-Aware Proxy (IAP).
The latest iapheaders Docker image is available for deployment from GitHub Packages at ghcr.io/unitvectory-labs/iapheaders.
The application is configurable through environment variables. Below are the available configurations:
HIDE_SIGNATURE: If enabled, the signature of the JWT from IAP is removed (not displayed); the signature component of the JWT is replaced withSIGNATURE_REMOVED_BY_IAPHEADERS(default: false).PORT: The port on which the server listens (default: 8080).
IAP sets the following headers:
x-goog-authenticated-user-email: Authenticated user's email address.x-goog-authenticated-user-id: Unique identifier of the authenticated user.x-goog-iap-jwt-assertion: JWT token for user identity verification.
iapheaders displays these headers and decodes the JWT token to show its contents. The JWT, signed by Google, can be verified using the public key from https://www.gstatic.com/iap/verify/public_key-jwk. iapheaders checks the signature and indicates the JWT's validity.
- JWK caching is not implemented, and the public key is fetched from Google's servers for each request.