Reputation: 853
Cloud IAP and three-legged OAuth
Assuming the following scenario:
User <> Cloud IAP <> App Engine App <> Google APIs
How can App Engine App access Google APIs on behalf of the authenticated user? (i.e., not using the App Engine App service account)
Cloud IAP transmits a JWT token to App Engine App, but I could not use it to access Google APIs resources (the user profile for example).
I could not find any relevant documentation for that scenario.
Upvotes: 0
Views: 151
Answers (1)
Reputation: 9721
Apps don't automatically get to call APIs on behalf of their users, even if it is behind Cloud IAP. Cloud IAP exists to control access to the apps, not grant apps permissions.
To allow apps to act on behalf of users, the app will have to do the OAuth2.0 web server flow. Typically you will use a google provided oauth2 library to do that flow (python, java, etc) and then pass that credential into the client library you are using to make the actual API call.
Upvotes: 1
Related Questions
- Service Account flow - 2 Legged Oauth Golang
- Google Identity Platform OAuth server
- Using nested authentication with Google IAP
- How to use OAuth 2.0 for Server to Server Applications
- Authorization in Google Cloud Endpoints for external clients
- GCP endpoint integration with identity platform
- Best auth strategy for GCP client tool
- Using Google OAuth2 and OpenId Connect in a mixed environment (GCP apps and on-premise)
- Google OAuth 2.0 for Server to Server Applications
- Google Cloud Endpoints with another oAuth2 provider