Context
A frontend running on Google Cloud Run, and a backend running on Google Cloud Run too, they are both protected by IAP, and secured to require authentication. They are also both behind a Load balancer with a mapping to the api with the route /api/*. The frontend is served by a simple Nginx container.
Problem
The user logs in successfully with IAP to the frontend, but the JWT token is lost in the process. And the API calls get redirected to the login screen, but since they are XHR calls, they are stuck in the network tab. So an Authorization header is needed with the JWT token.
Question
What's the easiest / simplest way to make API calls with the authorized user token?
The solution was to make a single Cloud run service that serves the API and the static files, because IAP generates one service for each cloud run instance, so the architecture was too complex, and having a Cloud run dedicated for the front end service over engineered.
Another approach is to have a Cloud Storage and configure a public Cloud CDN, but that adds the overhead of signing Cookies to fetch static files which doesn't bring much value as the cookie can be stolen. And the authentication is not forced on Cloud storage because IAP doesn't support Cloud storage for now.