Add support for GCP IAP JIT account provisioning

[msukkari]

Adds custom auth provider that handles reading and validating GCP IAP headers, and then creates a user on success

Tested working in custom deployment on GCP

Summary by CodeRabbit

• New Features

  • Added support for authentication via Google Cloud Platform Identity-Aware Proxy (GCP IAP), enabling automatic account registration and login for eligible enterprise users.
  • Introduced a new sign-in flow and UI for GCP IAP authentication.
  • Added two new environment variables to configure GCP IAP authentication.

• Documentation

  • Updated authentication and environment variable documentation to include details on GCP IAP setup and configuration.

[coderabbitai]

Warning

Rate limit exceeded

@msukkari has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 10 minutes and 6 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between e792872 and a4edb3b.

📒 Files selected for processing (1)

• CHANGELOG.md (1 hunks)

Walkthrough

The changes introduce support for Google Cloud Platform Identity-Aware Proxy (GCP IAP) as an enterprise authentication provider. Documentation is updated to describe new environment variables and configuration steps. The web application adds a new authentication component and logic for GCP IAP, updates SSO provider handling, centralizes user creation logic, and adds the necessary dependency for Google authentication.

Changes

File(s)	Change Summary
docs/docs/configuration/auth/overview.mdx docs/docs/configuration/environment-variables.mdx	Added documentation for GCP IAP authentication, including setup instructions and new environment variables.
packages/web/package.json	Added "google-auth-library" dependency for GCP IAP JWT verification.
packages/web/src/app/[domain]/components/gcpIapAuth.tsx	Introduced GcpIapAuth React component to handle GCP IAP sign-in flow.
packages/web/src/app/[domain]/layout.tsx	Modified layout logic to use GcpIapAuth when GCP IAP SSO is enabled and configured.
packages/web/src/auth.ts	Migrated user creation logic to external utility; now imports onCreateUser from authUtils.
packages/web/src/ee/sso/sso.tsx	Added Credentials-based SSO provider for GCP IAP; updated logging in JIT provisioning handler.
packages/web/src/env.mjs	Added AUTH_EE_GCP_IAP_ENABLED and AUTH_EE_GCP_IAP_AUDIENCE to environment schema.
packages/web/src/lib/authUtils.ts	New utility: onCreateUser centralizes user provisioning logic for single-tenant environments.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant GCP_IAP
    participant WebApp
    participant NextAuth
    participant GoogleAuthLib
    participant Database

    User->>GCP_IAP: Access protected app URL
    GCP_IAP->>User: Redirect with JWT assertion
    User->>WebApp: Request with JWT assertion header
    WebApp->>NextAuth: Trigger signIn('gcp-iap')
    NextAuth->>GoogleAuthLib: Verify JWT assertion with audience
    GoogleAuthLib-->>NextAuth: Return user info if valid
    NextAuth->>Database: Lookup or create user
    Database-->>NextAuth: User record
    NextAuth->>WebApp: Session established
    WebApp->>User: Authenticated access granted

Loading

Poem

In clouds above, a bunny spies
New IAP magic in disguise!
With JWTs and SSO cheer,
GCP now logs you in here.
Docs are fresh, the code is neat—
A hoppy leap for login feat!
🐰✨

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

packages/web/src/app/[domain]/layout.tsx (1)

41-46: Consider extracting the authentication logic for better readability.

The nested conditionals are becoming complex. Consider extracting this logic into a separate function for better maintainability.

 if (!session) {
-    const ssoEntitlement = await hasEntitlement("sso");
-    if (ssoEntitlement && env.AUTH_EE_GCP_IAP_ENABLED && env.AUTH_EE_GCP_IAP_AUDIENCE) {
-        return <GcpIapAuth callbackUrl={`/${domain}`} />;
-    } else {
-        redirect('/login');
-    }
+    const shouldUseGcpIap = await shouldUseGcpIapAuth();
+    if (shouldUseGcpIap) {
+        return <GcpIapAuth callbackUrl={`/${domain}`} />;
+    }
+    redirect('/login');
 }

Add this helper function at the top of the file:

async function shouldUseGcpIapAuth(): Promise<boolean> {
    if (!env.AUTH_EE_GCP_IAP_ENABLED || !env.AUTH_EE_GCP_IAP_AUDIENCE) {
        return false;
    }
    return await hasEntitlement("sso");
}

This approach:

• Improves readability by extracting the complex condition
• Short-circuits on env variables before making the potentially expensive hasEntitlement call
• Makes the authentication flow easier to understand and maintain

packages/web/src/lib/authUtils.ts (1)

83-83: Use consistent boolean environment variable parsing.

The string comparison === 'true' for boolean environment variables can be error-prone and inconsistent with other boolean env vars in the codebase.

Consider parsing this as a boolean in your environment configuration (env.mjs) similar to AUTH_EE_GCP_IAP_ENABLED, then use it directly:

-            if (env.AUTH_EE_ENABLE_JIT_PROVISIONING === 'true' && hasEntitlement("sso")) {
+            if (env.AUTH_EE_ENABLE_JIT_PROVISIONING && hasEntitlement("sso")) {

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d5c4486 and f2282dc.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (9)

• docs/docs/configuration/auth/overview.mdx (1 hunks)
• docs/docs/configuration/environment-variables.mdx (1 hunks)
• packages/web/package.json (1 hunks)
• packages/web/src/app/[domain]/components/gcpIapAuth.tsx (1 hunks)
• packages/web/src/app/[domain]/layout.tsx (2 hunks)
• packages/web/src/auth.ts (1 hunks)
• packages/web/src/ee/sso/sso.tsx (3 hunks)
• packages/web/src/env.mjs (1 hunks)
• packages/web/src/lib/authUtils.ts (1 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (1)

packages/web/src/lib/authUtils.ts (6)

packages/logger/src/index.ts (1)

• createLogger (86-86)

packages/web/src/lib/constants.ts (2)

• SINGLE_TENANT_ORG_ID (31-31)
• SINGLE_TENANT_ORG_DOMAIN (32-32)

packages/web/src/features/entitlements/server.ts (1)

• hasEntitlement (71-74)

packages/web/src/ee/sso/sso.tsx (1)

• handleJITProvisioning (177-250)

packages/web/src/lib/serviceError.ts (1)

• ServiceErrorException (16-20)

packages/web/src/actions.ts (1)

• createAccountRequest (1451-1559)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: build

🔇 Additional comments (7)

packages/web/package.json (1)

117-117:

✅ Verification successful

Dependency addition looks appropriate for GCP IAP integration.

The google-auth-library dependency is correctly added to support JWT verification for GCP IAP tokens.

Verify that the specified version is current and secure:

---

🌐 Web query:

What is the latest version of google-auth-library npm package and are there any known security vulnerabilities in version 9.15.1?

💡 Result:

As of June 4, 2025, the latest version of the google-auth-library npm package is 9.15.1, released approximately two months ago. (npmjs.com)

Regarding security vulnerabilities, Snyk's vulnerability database indicates that there are no direct vulnerabilities found in version 9.15.1 of the google-auth-library package. (security.snyk.io)

However, it's important to note that while the package itself may not have direct vulnerabilities, its dependencies could potentially introduce security risks. Therefore, it's advisable to regularly monitor the security status of all dependencies in your project and keep them updated to mitigate potential vulnerabilities.

Citations:

• 1: https://www.npmjs.com/package/google-auth-library?activeTab=versions&utm_source=openai
• 2: https://security.snyk.io/package/npm/google-auth-library?utm_source=openai

---

Approve google-auth-library dependency version

As of June 4, 2025, version 9.15.1 is the latest release and has no known direct security vulnerabilities (per npmjs.com and Snyk). It’s safe to proceed—continue to monitor transitive dependencies for any future risks.

• File: packages/web/package.json (line 117)

docs/docs/configuration/auth/overview.mdx (1)

83-92: Well-structured documentation for GCP IAP integration.

The documentation follows the established pattern for enterprise authentication providers and provides clear configuration guidance. The instruction for obtaining the JWT audience code via the IAP backend service menu is particularly helpful for users.

docs/docs/configuration/environment-variables.mdx (1)

54-55: Environment variable documentation is clear and consistent.

The new GCP IAP environment variables follow the established naming convention and provide clear descriptions. The boolean default for the enabled flag and the requirement for the audience variable are appropriately documented.

packages/web/src/env.mjs (1)

53-54: Environment variable schema correctly defined.

The schema validation for the new GCP IAP environment variables follows the established patterns and uses appropriate types. The boolean flag with default 'false' and optional string for the audience are correctly implemented.

packages/web/src/auth.ts (1)

8-18: LGTM! Clean refactoring of user creation logic.

The extraction of onCreateUser to a centralized utility module promotes code reuse and maintainability. The import organization is clean and follows the existing pattern.

packages/web/src/ee/sso/sso.tsx (2)

98-172: Well-implemented GCP IAP authentication provider!

The implementation follows security best practices:

• Proper JWT verification using Google's OAuth2Client
• Audience validation against configured value
• Issuer verification with expected cloud.google.com/iap
• Consistent user creation pattern with other SSO providers
• Comprehensive error handling and logging

The nullable fields (name, image) are handled appropriately with fallbacks and optional types.

---

215-215: Good improvement: Using structured logging.

Replacing console.warn with the structured logger is a best practice that improves log consistency and searchability.

[brendan-kellam]

LGTM