google-cloud-platformcookiesidentity-aware-proxy

IAP opens two sessions for App Engine and Compute Engine access


Context

I have 3 services running in GCP. One of them is SPA that's running in AppEngine and two others are APIs running in Compute Engine. I configured HTTPS Load Balancer in front of them with single domain and enabled IAP (with Identity Platform method).

Problem

The problem is that cookie I get after successful login works only for AppEngine requests, all requests to compute engine end up with 302. Is there a way to get it working for all IAP-protected services?

A bit more info

When I directly access Compute Engine resource, IAP doesn't detect session that was opened through AppEngine resource, so I have to login again and then both AppEngine and ComputeEngine services work just fine.

Cookie after first login (App Engine resource) Cookie App Engine

Cookie after second login (Compute Engine resource) Cookie App Engine + Compute Engine

Looks like IAP sets up two different sessions even though domain is the same. I couldn't find any difference between these two cookies other than encoded payload.


Solution

  • Turns out the problem was that App Engine and Compute Engine services in IAP had different client ID, so the fix was to manually change it so that all services have the same client_id.