Git Product home page Git Product logo

Comments (3)

ojarjur avatar ojarjur commented on May 3, 2024 1

@ravwojdyla thanks for reaching out.

I don't think the App Engine app works if you have IAP enabled.

You might be able to get your client-side requests through IAP, but the proxy agent has never been updated to support using OIDC tokens to authenticate instead of OAuth access tokens.

That means that your requests won't make it all the way through to your backend server.

I've sent out #94 to add a note about this to the README

There isn't any sort of fundamental reason that we can't support IAP, but it hasn't been a priority because no one is using it with IAP. That's a bit of a circular argument (no one uses this with IAP because we don't support it, and we don't support IAP because no one uses it with IAP...), but it does mean that this isn't a priority for anyone currently working on the inverting proxy.

That being said, a pull request to add support for OIDC tokens to the proxy agent would be welcome, as long as it's flag controlled (so that existing users can continue to rely on OAuth tokens).

from inverting-proxy.

ravwojdyla avatar ravwojdyla commented on May 3, 2024

@ojarjur that explains it, thank you!

You might be able to get your client-side requests through IAP, but the proxy agent has never been updated to support using OIDC tokens to authenticate instead of OAuth access tokens.
..
That being said, a pull request to add support for OIDC tokens to the proxy agent would be welcome, as long as it's flag controlled (so that existing users can continue to rely on OAuth tokens).

Do you foresee it would be something more than adding idtoken.NewClient(ctx, audience) to

inverting-proxy/agent/agent.go

Line 212 in 6416861

func getGoogleClient(ctx context.Context) (*http.Client, error) {

+ flags for using IAP and audience oauth client ID?

Edit: that was definitely, not enough, agent GAE app fails with:

Failed to validate backend ID: "Failed to read the OAuth authorization header: "API error 3 (user: OAUTH_INVALID_TOKEN)""

from pendingHandler in

inverting-proxy/app/proxy.go

Line 158 in 6416861

oauthUser, err := user.CurrentOAuth(ctx, "https://www.googleapis.com/auth/cloud-platform")

from inverting-proxy.

ojarjur avatar ojarjur commented on May 3, 2024

@ravwojdyla Yeah, it looks like the OIDC token auth and the OAuth user auth are incompatible because they both want to use the same "Authorization" header with different values.

We'd need to change checkBackendID to support OIDC tokens as an alternative to OAuth.

I have no idea how much work that would be as I've never done anything with OIDC

from inverting-proxy.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.