1

Is it possible to use an Authorization: Bearer … header to make a request through Identity Aware Proxy to my protected application? (Using a service account, of course. From outside GCP.)

I would like to not perform the OIDC token exchange, is this supported?

If so, does anyone have any examples?

So far, I have the following but it doesn't work:

iat = time.time()
exp = iat + 3600
payload = {'iss': account['client_email'],
           'sub': account['client_email'],
           'aud': '/projects/NNNNN/apps/XXXXXXX',
           'iat': iat,
           'exp': exp}
additional_headers = {'kid': account['private_key']}
signed_jwt = jwt.encode(payload, account['private_key'], headers=additional_headers,
                       algorithm='RS256')

signed_jwt = signed_jwt.decode('utf-8')

This produces: Invalid IAP credentials: JWT signature is invalid.

Adam Sherman
  • 159
  • 12
  • The Google OAuth Access Token does not contain identity information. You have to use an OIDC Identity Token to verify who is accessing the resource. – John Hanley Jan 29 '20 at 23:54

1 Answers1

2

this is not currently supported. IAP is expecting a signature generated by the Google accounts infrastructure using its private key, so that's why the signature check is failing. Could you tell me more about why you'd like to avoid the OIDC token exchange? --Matthew, Google IAP Engineering

Matthew Sachs
  • 1,545
  • 6
  • 9
  • That really helps a lot, thank you. I'm trying to use Salesforce's declarative support for External Services. It has two options for authentication: JWT, and JWT Token Echange. I suspect I need to use the latter, but that should probably be a new question. – Adam Sherman Jan 30 '20 at 15:48
  • I posted the a [new question](https://stackoverflow.com/questions/59991073/using-salesforce-named-credentials-against-google-iap). – Adam Sherman Jan 30 '20 at 17:08