Reputation: 719
Forwarding OAuth 2 credentials from an authenticated request (in GCP specifically)
I have an AppEngine application that is behind an IAP (identity-aware proxy), so it receives requests that are authenticated and include a JWT token. From the AppEngine application I want to make a request to the Google Sheets API. That also requires an authenticated connection, but given that I want that connection to be made under the same user that accessed the application via the IAP, does anyone know how to create a request from inside the AppEngine application that will forward the token to Google Sheets? Cannot find any information on the subject... I am using Java, so any Java pointers would be appreciated, but general/other language help is good too
...
Upvotes: 0
Views: 503
Answers (1)
Reputation: 75940
I will describe the 2 approach proposed in the comment
- The first one, to reuse the IAP proxy token to access Google Sheet is impossible, and dangerous.
- Impossible because you receive an identity token from IAP (at least the requester/browser send an identity token to IAP) and you need an access token to request Sheet APIs.
- Dangerous because, if you are able to reuse the IAP token to request the Google Sheet, that means the user is authorized to access to the Google Sheet. And I'm sure that you build an app to prevent any direct access/modification to the Google Sheet.
- The second one, is to use a technical account (typically a service account) and generate an access token to access the Sheet API.
This second approach is the best one (don't forget to correctly log the user request and the subsequent sheet API calls in your AppEngine app to have the end to end traceability). BUT, and it's for that you ask this question, it's impossible with the App Engine default service account.
In fact, to access to the Sheet API, you need to scope your access token with the Sheet API. Sadly, you can't do this with App Engine. You can do this with Cloud Run, Cloud Functions, Compute Engine (without the default service account, else you need an extra config to achieve this with the Compute Engine default service account). But not with App Engine.
So, you have 2 solutions:
- Either you use another hosting platform (Cloud Run for example), but you loose the IAP capacity (for now)
- You continue to use App Engine but you need to request an access token to another service account (it's not required to have a service account key file). You can use the Service Account Credential API for this. I wrote an article on this API
Note: later in 2021, App Engine should be able to accept custom service account, and thus the issue should be solved
Upvotes: 1
Related Questions
- Manage GCP project credentials through API
- GCP - Identity Aware Proxy - How to Retrieve OAuth 2.0 Credentials?
- GCP Server to Server Authentication with Service Account
- Authorizing REST API calls to GCP
- Authenticate requests from GCE to BigQuery through IAP
- GCP endpoint integration with identity platform
- Identity Aware Proxy(IAP) in GCP
- Using Google OAuth2 and OpenId Connect in a mixed environment (GCP apps and on-premise)
- Using OAuth2 tokens for interactive usage of GCP services instead of service account (keys)
- GCP -- APIs & Services : Create OAuth client ID credentials programmatically