This is somewhat related to #2248 which also mentions the lack of validation of the iss claim.

GCP's Identity-Aware Proxy provides the following docs on how to secure your app using signed headers: https://cloud.google.com/iap/docs/signed-headers-howto

The docs detail how tokens should be validated, and provide Go example code that show how to use the idtoken package to validate the token. However, looking closer at the idtoken code, and trying out the provided testing functionality (see this doc, it seems there's a bit of a misalignment between what the docs describe and what the idtoken package does.

In particular, the docs list the following requirements which are not fulfilled by the package:

• We should allow for 30 seconds skew when validating the exp. The package does support this.
• We should verify that iat is in the past, and allow for 30 seconds skew. The package does not check iat nor does it support such a skew.
• iss must be https://cloud.google.com/iap. The package does not support such a check.

As someone who aims to follow the recommendations of the IAP docs, I'm wondering how I should proceed.
Is it reasonable to expect the idtoken package to address this in the near future, or should I look at other solutions in order to be compliant with the IAP recommendations?