I have a Cloud Run service running on /.
I have a second Cloud Run service running on /admin.
I'm using a HTTP global loadbalancer to be able to use a custom hostname. I want to protect /admin with IAP. / is public so IAP is off for that backend service.
I've configured the backend service to use IAP, which is working. However, when I go through the oauth consent screen, I get redirected to the root. That redirects me to the backend service where IAP is not enabled.
The root url gets a querystring like ?gcp-iap-mode=AUTHENTICATING&redirect_token_v2=... that IAP is supposed to check an convert into a cookie on the custom hostname of my app.
In the console on the IAP page, I see the menu option for the backend service Go to OAuth configuration. Going there I see options for redirects, but all the options are disable. On the top of the page is a message This automatically generated OAuth client ID is required for your project. It can't be modified.
What am I missing?
It turned out we had a path rule with a rewrite for the prefix. /admin was stripped by the LB and forwarded to the admin backend service. The backend service then, protected by IAP thinks it's serving on /.
After authentication, the user gets redirects to / with a bunch of parameters.
However, the loadbalancer forwards / to the non-IAP backend service so IAP doesn't get to see the parameter and never gets the chance to write the IAP cookies.
We've changed our url map, adding a subdomain. We needed to add the hostname to the managed certificate.