Authenticating Against an IAP Protected Resource with Bearer Header?

1
votes

Is it possible to use an Authorization: Bearer … header to make a request through Identity Aware Proxy to my protected application? (Using a service account, of course. From outside GCP.)

I would like to not perform the OIDC token exchange, is this supported?

If so, does anyone have any examples?

So far, I have the following but it doesn't work:

iat = time.time()
exp = iat + 3600
payload = {'iss': account['client_email'],
           'sub': account['client_email'],
           'aud': '/projects/NNNNN/apps/XXXXXXX',
           'iat': iat,
           'exp': exp}
additional_headers = {'kid': account['private_key']}
signed_jwt = jwt.encode(payload, account['private_key'], headers=additional_headers,
                       algorithm='RS256')

signed_jwt = signed_jwt.decode('utf-8')

This produces: Invalid IAP credentials: JWT signature is invalid.

1
pythongoogle-cloud-platformgoogle-iap
The Google OAuth Access Token does not contain identity information. You have to use an OIDC Identity Token to verify who is accessing the resource.John Hanley

1 Answers

2
votes

this is not currently supported. IAP is expecting a signature generated by the Google accounts infrastructure using its private key, so that's why the signature check is failing. Could you tell me more about why you'd like to avoid the OIDC token exchange? --Matthew, Google IAP Engineering