More generic Authorization Code flow

Remove the hard dependency to the google cloud IAM and use the generic
OAuth2 Authorization Code Flow.
Configuration now happens completely through ENV variables.

Also removed the check if the user is still in the organization, because
it's not part of the oauth2 standard.
although it is a valid check and should be considered in the future.

.gitignore

@@ -4,3 +4,4 @@
 .secrets/
 .vertx/
 build/
+.env

Dockerfile

@@ -18,7 +18,7 @@ ENV AUTH_CACHE_TTL "300"
 ENV BIND_PORT "8080"
 ENV CLIENT_ID "REPLACE_ME"
 ENV CLIENT_SECRET "REPLACE_ME"
-ENV CLOUD_IAM_AUTH_ENABLED "false"
+ENV CLOUD_IAM_AUTH_ENABLED "true"
 ENV JWT_REQUIRES_MEMBERSHIP_VERIFICATION "true"
 ENV KEYSTORE_PATH "keystore.jceks"
 ENV KEYSTORE_PASS "safe#passw0rd!"

build.gradle

@@ -2,6 +2,7 @@ plugins {
     id 'java'
     id 'application'
     id 'com.github.johnrengelman.shadow' version '2.0.1'
+    id "com.diffplug.gradle.spotless" version "3.29.0"
 }
 
 group 'com.travelaudience.nexus'

src/main/java/com/travelaudience/nexus/proxy/AccessToken.java

@@ -0,0 +1,21 @@
+package com.travelaudience.nexus.proxy;
+
+import com.google.api.client.json.jackson2.*;
+import com.google.api.client.json.webtoken.*;
+import java.io.*;
+
+public class AccessToken {
+    private final String rawToken;
+
+    public AccessToken(String token) {
+        rawToken = token;
+    }
+
+    public String principal() throws IOException {
+        JsonWebSignature jws = JsonWebSignature
+                .parser(JacksonFactory.getDefaultInstance())
+                .setPayloadClass(PayloadWithEmail.class)
+                .parse(rawToken);
+        return ((PayloadWithEmail) jws.getPayload()).getEmail();
+    }
+}