0

Problem layout: I'm working with AppEngine interface and the client has AD/Azure for authentication.

I've setup IAP with an external provider (being the Azure setup). Login screen in provided by google.

That works.

But the login page does not show the possibility to login with the project google accounts, which is really annoying as a dev.

I would like the project owners/editors or people with specific roles to be able to access the interface as well.

I've setup Google as well as an external provider with the webclient id and secret of the project.

The login page now shows two login buttons. Nice.

But it doesn't work as expected. I get stuck behind the Oauth consent page. There are 3 option: internal, testing or production.

  • Internal does not work.
  • Testing I guess would work, but I have to add manually the users/dev. There is no link with IAM users.
  • Production works, but everybody with a gmail account gets access.

What am I missing?

I would have guessed that the external google provider linking back to the project would have limited the access of users.

What should I check?

Is there a better way to get the wanted setup?

Osvaldo
  • 473
  • 1
  • 12
Ilpepe4
  • 71
  • 1
  • 7

1 Answers1

1

IAP rely on IAM service by default: it checks the authentication and the identity to allow access. That's normal because it's only Google managed account that can be added to the IAM service.

When you switch to the external provider, the account are no longer managed by Google, it's managed by an external provider, and IAP only check if the authentication is valid and comes from an authorized external provider. You can't add email unmanaged by Google in the IAM service to perform the identity check.

Therefore, only the authenticated user can access your application. If you add the Google Provider, all the correctly authenticated Google Account can access your app. Same thing for Facebook and other provider.

Note that you also can't filter the Azure account. All the Azure account of your tenant will be authorized, not a limited list of emails in that tenant.

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • HI, Thanks for the reply. To be clear, Azure login works perfectly fine. The problem is with the google accounts. How can I as a dev, see the AppEngine page? That is why I've setup a second external provider, namely Google (With the webapplication of the GCP project) with the goal that it would authenticate for the users of the project. However, that doesn't work (I'm project owner). It fails because of the consent screen: error 403 org_internal. But there I fail to see how I can limit auth to project users/owners. it is only internal (doesn't work), testing and production. – Ilpepe4 Dec 01 '21 at 15:53
  • If it's dev, why do you need the Azure and the Google account, only the dev account, the google account should be enough no? If you use Azure IdP, you could create the dev account in the Azure dev tenant. Or you could try Cloud Identity Platform. Create your dev user account in it and plug it to IAP, it should work, even in internal mode, because the Cloud Identity Platform directory will be internal to your project. – guillaume blaquiere Dec 01 '21 at 21:00