TechQA.

GCP API Gateway : Authentication of already logged in Google Users

615 views Asked by At

Our API gateway exposes a URL endpoint to load images etc. from a Cloud Run backend service. This URL endpoint is used by a user interface secured by Google's Identity Aware Proxy (IAP). Therefore, all requests to the URL endpoint come from already logged in Google Users.

What security (securityDefinitions) configuration do I have to define for this in the OpenAPI configuration of the API gateway? If I understand correctly, this is the configuration described here.

I tried the following configuration:

swagger: '2.0'
info:
  title: xyz-api
  description: XYZ Service
  version: 1.0.0
  
schemes:
  - https

x-google-backend:
  address: https://CLOUD_RUN
  jwt_audience: https://CLOUD_RUN

security: 
  - google_id_token: []

paths:
  /info:
    get:
      summary: Service informations
      description: Returns informations about this service 
      operationId: getInfoFromService
      produces:
        - application/json
      responses:
        '200':
          description: Info as JSON
        '400':
          description: Invalid status value

securityDefinitions:
  google_id_token:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "https://accounts.google.com"
    x-google-jwks_uri: "https://www.googleapis.com/oauth2/v3/certs"

The API Gateway response with:

{
  "message": "Jwt is missing",
  "code": 401
}

Update

A few more details about the setup:

The UI and API gateway are behind the same Load Balancer with the same domain. The IAP (Identity-Aware Proxy) is enabled for the UI backend. For the API gateway, we used the above configuration without the IAP.

To use the UI, users must log in with their Google User account. The user group is authorized in the IAP as "IAP-secured Web App User".

The UI now tries to load images via https://xyz.app/api/image123456/. This fails.

Since the user login via the IAP was successful for the domain https://xyz.app/, we would expect it to work for the API gateway as well.

Update 2:

As a test, I have activated the IAP for the API gateway. The IAP returns http 403 error. According to the load balancer logfile these are generated by the "backend" (response_sent_by_backend). This probably means the API gateway.

From my point of view this brings us back to the initial question: What do I have to configure in the OpenAPI configuration of the API gateway to make the access work? In this case via IAP: LB -> IAP -> API GW -> Cloud Run.

google-cloud-platform google-cloud-iam google-cloud-api-gateway google-cloud-identity-aware-proxy
Original Q&A
0

There are 0 answers

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in GOOGLE-CLOUD-IAM

Related Questions in GOOGLE-CLOUD-API-GATEWAY

Related Questions in GOOGLE-CLOUD-IDENTITY-AWARE-PROXY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions