Missing ISS and IAT validation of IAP tokens in idtoken.Validate

[oliver-roer]

This is somewhat related to #2248 which also mentions the lack of validation of the iss claim.

GCP's Identity-Aware Proxy provides the following docs on how to secure your app using signed headers: https://cloud.google.com/iap/docs/signed-headers-howto

The docs detail how tokens should be validated, and provide Go example code that show how to use the idtoken package to validate the token. However, looking closer at the idtoken code, and trying out the provided testing functionality (see this doc, it seems there's a bit of a misalignment between what the docs describe and what the idtoken package does.

In particular, the docs list the following requirements which are not fulfilled by the package:

• We should allow for 30 seconds skew when validating the exp. The package does support this.
• We should verify that iat is in the past, and allow for 30 seconds skew. The package does not check iat nor does it support such a skew.
• iss must be https://cloud.google.com/iap. The package does not support such a check.

As someone who aims to follow the recommendations of the IAP docs, I'm wondering how I should proceed.
Is it reasonable to expect the idtoken package to address this in the near future, or should I look at other solutions in order to be compliant with the IAP recommendations?

[codyoss]

We will look into this a little more. At least at the time of implementation this was following best practices, but we did realize more validation might be needed, hence why we returned the payload from that function as well. If we were to change this we would want to do it consistently across all the languages we support. Thanks for raising this.