0

I've created a google app engine project with a service protected by IAP.

I understand how to use the signed headers to get the authenticated user's identity. But how would I retrieve their OAuth 2.0 credentials?

Any suggestions of other ways of achieving this (using GCP) would also be appreciated.

interrupt0
  • 25
  • 5
  • What do you mean by OAuth 2.0 credentials? There are three tokens that can be created using OAuth and OIDC: access, refresh, and identity. If you are using IAP, you can only fetch the user's identity. https://cloud.google.com/iap/docs/identity-howto – John Hanley Sep 20 '21 at 20:48
  • @JohnHanley Specifically the access/refresh tokens. I want, for example, to be able to access the files in the user's gdrive. Since I currently have the frontend behind the IAP, they would have to login to their google account twice to do so; once to get past the proxy, and again so I can get the access/refresh tokens. Based off of your comment, it sounds like perhaps IAP isn't for me and I should just implement the authorization flow myself. – interrupt0 Sep 20 '21 at 21:49

1 Answers1

3

There are three tokens that can be created using OAuth and OIDC: access, refresh, and identity. If you are using IAP, you can only fetch the user's identity.

Getting the user's identity

You cannot access the OAuth Access and Refresh Tokens from IAP. If this is a requirement, turn off IAP and implement the Google OAuth flow in your application.

John Hanley
  • 74,467
  • 6
  • 95
  • 159