App Engine Identity Aware Proxy AJAX requests failing with HTTP code 405

I have a similar issue as this question (but with a key difference - I'm hitting my own API): 405 when authenticating using Google Auth, Angular 4, ASP.Net Core 2

I am using Identity Aware Proxy (IAP) to authenticate users in my enterprise domain to our custom app deployed on App Engine flexible environment, written in Node.js. The app is serving assets and maintaining a RESTful API using express, and is authorizing requests using signed headers as suggested by the IAP docs.

IAP is functioning as intended with regards to limiting users to the application, but the problem comes when attempting to make AJAX calls to my own RESTful API. When I attempt to do this, the HTTP request responds with a 302 redirect, redirects to the Google oauth2 endpoint (https://accounts.google.com/o/oauth2/v2/auth?client_id=[...]), and then fails with the following error:

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://<my_project>.appspot.com' is therefore not allowed access. The response had HTTP status code 405. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

The AJAX in question is a POST method request, but in the Network tab of dev tools I also see a mimicked request to the same endpoint as a GET request (same headers, just with payload stripped off), and then the OPTIONS request to the OAuth endpoint (where the error is generated as OAuth doesn't handle OPTIONS preflight requests).

I have followed the IAP and App Engine docs to the letter, so I suspect I am missing something on my implementation side that is implied by the docs and I overlooked. Do I need to handle AJAX authentication differently? Why is it being sent to the OAuth endpoint? Is this related to my CORS configuration?

I have tried clearing cache, different devices/browsers, various CORS configurations using cors.

It makes sense to me why the request is failing, but I do not understand why the request is being made in the first place. I understand the CORS limitations, but I am not sending requests to a Google service (directly), rather I am sending to my own RESTful API (albeit, hosted on Google services and behind IAP). If the user is already authenticated to get into my app and past IAP, it seems to me that the AJAX requests should be authenticated as well?

The solution to my issue was what I initially suspected: the IAP authorization process does in fact allow AJAX requests to access other IAP protected resources (e.g. my backend API in this example). The issue was related to the fetch() method on the front end client, which by default does not send cookies with the HTTP requests. You must pass credentials: 'include' or credentials: 'same-origin' in the options to fetch.

By default, fetch won't send or receive any cookies from the server, resulting in unauthenticated requests if the site relies on maintaining a user session (to send cookies, the credentials init option must be set).

https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch