Reputation: 1331
Generating a JWT for calling API after logging in with Identity Aware Proxy
I have 2 apps deployed to Cloud Run, the first is Nginx serving up a React app and the other is a FastAPI API, with Identity Aware Proxy on both of the load balancers set up to check against Identity Platform.
We have an Authentication URL running gcr.io/gcip-iap/authui which I understand to be this bit of the iap-gcip-web-toolkit project.
I can generate a valid JWT to use on the backend LB with
signInWithEmailAndPassword(auth, "[email protected]", "SomePassword")
.then((userCredential) => {
const user = userCredential.user;
user.getIdToken().then((token) => {
console.log(token)
})
})
But that is side-stepping the fact I'm already authed and logging in again.
How can I get a user (so I can call getIdToken) given that I'm logged in already? (I see GCP_IAP_UID and __Host-GCP_IAP_AUTH_TOKEN_XXXXXXXXXX in my cookies and can load the JS/HTML for the React app)
Upvotes: 2
Views: 183
Answers (2)
Reputation: 1564
Assuming you have something like this implemented and still cannot receive the user, hence the token:
onAuthStateChanged(auth, (user) => {
if (user) {
// User is signed in, retrieve the ID token
user.getIdToken().then((token) => {
console.log("ID Token:", token);
// Use the token as needed
}).catch((error) => {
console.error("Error retrieving ID token:", error);
});
} else {
// No user is signed in, handle accordingly
console.log("No user signed in");
}
});
As a workaround, I believe you can re-authenticate automatically to grab a user right after using your existing token in a cookie:
import { getAuth, signInWithCredential, GoogleAuthProvider } from "firebase/auth";
const auth = getAuth();
const token = getCookie('__Host-GCP_IAP_AUTH_TOKEN_XXXXXXXXXX'); // Retrieve the token from the cookie
if (token) {
const credential = GoogleAuthProvider.credential(token);
signInWithCredential(auth, credential)
.then((userCredential) => {
const user = userCredential.user;
console.log("User reauthenticated:", user);
return user.getIdToken();
})
.then((idToken) => {
console.log("ID Token:", idToken);
})
.catch((error) => {
console.error("Error reauthenticating:", error);
});
} else {
console.error("IAP token not found");
}
Upvotes: 0
Reputation: 92
You don’t need to call signInWithEmailAndPassword again if you’re already authenticated. Firebase should automatically manage the session for you. You can check if the user is logged in by using auth.currentUser, and then call getIdToken() directly.
const auth = getAuth();
const user = auth.currentUser;
if (user) {
user.getIdToken().then((token) => {
console.log(token); // Use this token for your backend requests
});
} else {
console.log("User not authenticated");
}
If auth.currentUser is null, make sure Firebase is initialized correctly and check if the session is being persisted. Hope this works for you.
Upvotes: 0
Related Questions
- Google Cloud Identity Aware Proxy (IAP) Force logout
- How to use Google Identity Aware Proxy Sign In with allUser and Workspace access allowed?
- Getting Users API access in nodejs AppEngine environment with Identity Aware Proxy
- GCP - Identity Aware Proxy - How to Retrieve OAuth 2.0 Credentials?
- How to protect Google Cloud Functions with Identity-Aware-Proxy
- Using Salesforce Named Credentials Against Google IAP
- Replacing Google Sign-In for Websites with Cloud Identity-Aware Proxy