2
votes

I did some research to find a way to validate that external users (outside the GCP organization) have multi-factor authentication enabled. I found Google Workspace is_2sv_enrolled, but this is specific to users in the organization.

Do you know if there is any way to validate that external users have MFA enabled from Google App Engine login via Identity-Aware Proxy?

To be more specific about the problem I want to solve, here is a basic summary of the context:

I developed a solution in Python using Google App Engine and Identity-Aware Proxy so that authorized users can authenticate and have their respective IP address allowed to certain ports in a Security Group ingress on AWS, it is a solution that includes several technologies, such as: Google Application Engine, Identity-Aware Proxy, Google Compute Engine, AWS WAF, AWS API Gateway, AWS Lambda, AWS Lambda, among others.

Currently any user who is authorized in the Identity-Aware Proxy following the conditions that I can already manage, will be allowed in the Security Group ingress.

The problem: I want to limit these accesses from external users only to those who have the Google account with MFA enabled.

Thanks.

1

1 Answers

2
votes

Google Accounts does not provide information (called claims) regarding MFA.

Google Accounts provide information about a user provided the correct scopes (openid profile email) are provided in the authorization request. The details of endpoints, scopes and claims are documented in the Discovery document. Google publishes this document at a well known URL:

https://accounts.google.com/.well-known/openid-configuration

Below is the contents of the Discovery document (as of this date). Notice there is no provision for returning MFA related information (claims) in the claims_supported section.

{
 "issuer": "https://accounts.google.com",
 "authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
 "device_authorization_endpoint": "https://oauth2.googleapis.com/device/code",
 "token_endpoint": "https://oauth2.googleapis.com/token",
 "userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo",
 "revocation_endpoint": "https://oauth2.googleapis.com/revoke",
 "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
 "response_types_supported": [
  "code",
  "token",
  "id_token",
  "code token",
  "code id_token",
  "token id_token",
  "code token id_token",
  "none"
 ],
 "subject_types_supported": [
  "public"
 ],
 "id_token_signing_alg_values_supported": [
  "RS256"
 ],
 "scopes_supported": [
  "openid",
  "email",
  "profile"
 ],
 "token_endpoint_auth_methods_supported": [
  "client_secret_post",
  "client_secret_basic"
 ],
 "claims_supported": [
  "aud",
  "email",
  "email_verified",
  "exp",
  "family_name",
  "given_name",
  "iat",
  "iss",
  "locale",
  "name",
  "picture",
  "sub"
 ],
 "code_challenge_methods_supported": [
  "plain",
  "S256"
 ],
 "grant_types_supported": [
  "authorization_code",
  "refresh_token",
  "urn:ietf:params:oauth:grant-type:device_code",
  "urn:ietf:params:oauth:grant-type:jwt-bearer"
 ]
}