I am making an addon (sidebar addon to Google Calendar) and the addon needs to call an API hosted behind a Google IAP (Identity Aware Proxy). IAP requires an openid token, and the id token needs to be granted from Google's OAuth2 service by using the audience parameter. I can get this working by including this oauth2 library, however the user has to login twice. First to the addon, and second to the IAP service. Since both logins are to Google, and with the same user, it seems possible for them to only need to login once. The ScriptApp service in apps script has a function getIdentityToken(), but that token doesn't work with IAP because it didn't use the audience parameter while generating the token. Does anyone know of a way to call IAP with a token derived from ScriptApp so that the user doesn't have to login twice? Without direct access to the refresh token, I wouldn't be able to create an id token with the audience parameter myself.
1 Answers
0
votes
This is currently not possible. You, as a user, will have to undergo two different OAuth authentication flows in order to be able to use IAP within your application.
This is, as you properly described, due to the Add-on current authentication flow (which does not allow you to include the "audience" parameter) and the inability to retrieve the refresh token from the current session.
If you are interested in the possibility of being able to include your IAP as part of the Add-on authentication flow, I suggest you submit a feature request to Google's Public Issue Tracker (https://issuetracker.google.com/issues).
