I'm curious what is the "best practice" for authenticating against a restful-api that is protected by Google IAP.
Allow me to break it down step by step to elucidate what I am trying to achieve:
- Go to my dev environment's url:
dev.blah.com. Here, I am prompted by IAP to log-in. I log in. I now have access to my SPA. - I am browsing my SPA. But! I'm unable to talk to my API, because it is ALSO protected by IAP.
I've read that I can do programmatic authentication in the documentation but I'm unsure if my particular use case is suited for programmatic authentication, or if it will even be SECURE.
So, am I correct in that I will have to implement a client-side programmatic-authentication workflow in order to access my API?
Or is there an alternative way to say "Once I'm authenticated to access THIS IAP-protected resource, i can log into these other resources as well." I cannot simply copy the token because it is http-only and the cookie is restricted to my current domain.
Some additional information:
- My services are running in a Google Kubernetes Engine cluster and have automatically created load balancers based off of ingress objects I declare.
- Each IAP-protected environment gets it's own OAuth credentials, and I configure the load-balancers to use IAP using:
gcloud compute backend-services update [backend-service] --global --iap=enabled,oauth2-client-id=[the_id],oauth2-client-secret=[the_secret]
