How to use Google Cloud IAM Roles for Role Based Web Application control using Google OAuth

2
votes

I use Google OAuth to sign in my Web Application which was created as a project in Google Cloud Platform i.e. Project1.

I have a user with custom role in this project. After I logged in with my Google account, I'm able to get userinfo using Google_Client (PHP library - google/apiclient). However, I'm having a hard time figuring out how to get the custom role for the logged in user. I tried using Google_Service_iam but get Uncaught Google_Service_Exception: 404 Not Found.

Is this a correct way of building a role based control web app utilizing Google IAM?

2
phpgoogle-cloud-platformgoogle-oauthgoogle-iam
Is this a correct way of building a role based control web app utilizing Google IAM? I am skepticalDaImTo
Well, my plan is setting a gcp project for a web app. Then use iam-policy-binding with roles to that project. So when a user logged in, the web app will check the role and limit resources in that web app based on the user's role.Osh Mansor
If you grant the users Google Cloud permissions, your application will be restricted possibly requiring a security audit to be approved. I do not recommend requesting GCP scopes when authorizing your clients to your backend. Your backend can use a service account and make requests on behalf of your clients/users.John Hanley

2 Answers

4
votes

Although it would be somehow possible by building it yourself, I would not directly use IAM as an authentication provider. Instead, use the Identity Platform or something like Auth0 or Okta. Myself, I prefer Firebase Authentication, which integrates easily with all popular languages and frameworks.

IAM is meant to authorize users within GCP, and not in a custom web-app. In your setup, you would have to add every future user to Gsuite and IAM, which is very costly and not designed for this purpose.

1
votes

I would recommend taking a look at the Authentication Strategies for application developers.

Since you need to grant to Google Cloud APIs on behalf of an end user, you may use the protocol OAuth 2.0 protocol. The application initiates an OAuth consent flow where you application will receive the user's credentials. With these credentials, it can call Google Cloud APIs on behalf of the user.

Another solutino as Nebulastic also suggested, is the Cloud Identity Platform, where you can configure custom claims to restrict a user's access to a resource depending on their role.