This package provides a simple Django middleware to authenticate users via Google Cloud's Identity-Aware Proxy (IAP), specifically tailored for Cloud Run deployments.
pip install -e git+[https://github.com/boot-sandre/django-cloudrun-iap.git](https://github.com/boot-sandre/django-cloudrun-iap.git#egg=django-cloudrun-iap)Or after publishing to python pypi registry:
pip install django-cloudrun-iapTo integrate cloudrun_iap_auth into your Django project, follow these steps to modify your settings.py file.
First, add cloudrun_iap_auth to your INSTALLED_APPS list to register the application with your project.
# settings.py
INSTALLED_APPS = [
# ... other apps
'cloudrun_iap_auth',
]Next, insert the IAP middleware into your MIDDLEWARE list. It is crucial to place it immediately after Django's built-in AuthenticationMiddleware.
# settings.py
MIDDLEWARE = [
# ... other middlewares
'django.contrib.auth.middleware.AuthenticationMiddleware',
'cloudrun_iap_auth.middlewares.IAPAuthenticationMiddleware',
# ... other middlewares
]Finally, add the following configuration variables to your settings.py file.
# settings.py
# Toggle the IAP middleware. Set to False to disable IAP authentication.
IAP_ENABLED = True
# The audience claim for your IAP-secured resource. This value can be found
# in your Google Cloud Console under the IAP settings for your resource.
# Format: /projects/$PROJECT_NUMBER/locations/$REGION/services/$SERVICE
IAP_EXPECTED_AUDIENCE = '/projects/123456789123/locations/europe-west1/services/myawesomedjango'
# (Optional) Restrict logins to a specific Google Workspace or Cloud Identity domain.
# Can use a string, a list of domain, or a tuple
IAP_EMAIL_DOMAIN = ["emencia.com", "velops.eu"]
IAP_EXEMPT_URLS = [
"/api/healthcheck/",
"/status/"
]The middleware checks for the presence of specific headers provided by Google Cloud IAP. It then validates the JWT to ensure the request is legitimate and comes from a trusted source. Finally, it matches the user's email to a Django user account and logs them in.