pythongoogle-cloud-platformgoogle-iap

Authenticating Against an IAP Protected Resource with Bearer Header?


Is it possible to use an Authorization: Bearer … header to make a request through Identity Aware Proxy to my protected application? (Using a service account, of course. From outside GCP.)

I would like to not perform the OIDC token exchange, is this supported?

If so, does anyone have any examples?

So far, I have the following but it doesn't work:

iat = time.time()
exp = iat + 3600
payload = {'iss': account['client_email'],
           'sub': account['client_email'],
           'aud': '/projects/NNNNN/apps/XXXXXXX',
           'iat': iat,
           'exp': exp}
additional_headers = {'kid': account['private_key']}
signed_jwt = jwt.encode(payload, account['private_key'], headers=additional_headers,
                       algorithm='RS256')

signed_jwt = signed_jwt.decode('utf-8')

This produces: Invalid IAP credentials: JWT signature is invalid.


Solution

  • this is not currently supported. IAP is expecting a signature generated by the Google accounts infrastructure using its private key, so that's why the signature check is failing. Could you tell me more about why you'd like to avoid the OIDC token exchange? --Matthew, Google IAP Engineering