GCP Cloud IAP OAuth2: Expected JWT to have 3 parts separated by a '.' but there are 2 parts

1
votes

I've secured a Google App Engine Application behind Cloud IAP - the endpoint now requires Google Sign-in via the browser as expected and works fine once I've added the right permissions. However, when I try to use Postman / MS PowerApps OAuth2 authentication I get the following error: Expected JWT to have 3 parts separated by a '.' but there are 2 parts.

Here are my Postman settings:

Grant Type: Authorization Code

Callback URL: Authed Callback URL (added to list in console)

Auth URL: https://accounts.google.com/o/oauth2/auth

Access Token URL: https://accounts.google.com/o/oauth2/token

Client ID: IAP-App-Engine-app ClientID

Client Secret:  IAP-App-Engine-app Client Secret

Scope: openid email

Client Authentication: Send as Basic Auth Header

Is there a solution for Cloud IAP OAuth2?

Thanks,

2
google-cloud-platformoauth-2.0jwtopenidgoogle-iap

2 Answers

1
votes

Google Cloud IAP requires an OAuth Identity Token. You are trying to use an OAuth Access Token.

0
votes

I found the answer searching through the documentation for Identity Platform.

https://cloud.google.com/iap/docs/identity-howto

IAP also passes the user's identity to your backend service in the following HTTP headers. These headers should have the namespace prefix accounts.google.com.

If you change the Header Prefix from the default Bearer to accounts.google.com when requesting a token, the subsequent call to the IAP-secured resource will succeed.