Cloud Run with IAP behind urlmap, redirects to root

Question

I have a Cloud Run service running on /.
I have a second Cloud Run service running on /admin.

I'm using a HTTP global loadbalancer to be able to use a custom hostname. I want to protect /admin with IAP. / is public so IAP is off for that backend service.

I've configured the backend service to use IAP, which is working. However, when I go through the oauth consent screen, I get redirected to the root. That redirects me to the backend service where IAP is not enabled.

The root url gets a querystring like ?gcp-iap-mode=AUTHENTICATING&redirect_token_v2=... that IAP is supposed to check an convert into a cookie on the custom hostname of my app.

In the console on the IAP page, I see the menu option for the backend service Go to OAuth configuration. Going there I see options for redirects, but all the options are disable. On the top of the page is a message This automatically generated OAuth client ID is required for your project. It can't be modified.

What am I missing?

Answer 1

It is likely due to the configuration of the OAuth client ID and consent screen.

Make sure that the OAuth client ID associated with your IAP configuration is correct and matches the client ID used in your consent screen configuration.

Also make sure that the authorized JavaScript origins and redirect URIs include the appropriate URLs for both the root ("/") and the "/admin" paths.

Or try to clear browser cache and cookies or test in incognito or private browsing mode.

If the above still does not work, it would be best to be in touch with a Cloud Platform Support so they can further inspect your Project.

Answer 2

It turned out we had a path rule with a rewrite for the prefix. /admin was stripped by the LB and forwarded to the admin backend service. The backend service then, protected by IAP thinks it's serving on /.

After authentication, the user gets redirects to / with a bunch of parameters.

However, the loadbalancer forwards / to the non-IAP backend service so IAP doesn't get to see the parameter and never gets the chance to write the IAP cookies.

We've changed our url map, adding a subdomain. We needed to add the hostname to the managed certificate.