3

I currently have App Engine up and running, protected by IAP, and my eventual aim is to have this be triggered by an Apps Script project. I've tested the code without IAP and it works fine. However, I'm running into difficulties successfully authorizing access to it when IAP is enabled.

I've added myself as an IAP-secured Web App User (as well as Policy Admin) to the App Engine, but whenever I try triggering it from a GSheets Apps Script where I'm the owner and it's associated with the correct GCP project (using this great explanation as a guide) I get the following:

"Invalid IAP credentials: JWT audience doesn't match this application ('aud' claim (1084708005908-bk66leo0dnkrjsh276f0rgeoq8ns87qu.apps.googleusercontent.com) doesn't match expected value (1084708005908-oqkn6pcj03c2pmdufkh0l7mh37f79po2.apps.googleusercontent.com))"

I've tried adding/removing various permissions to my account, as well creating a new Apps Script and re-adding to the project, but to no avail. I run into the same issue when triggering from CLI, so I'm fairly sure it's an issue with authentication, however this is my Apps Script code in case it helps:

function test() {
  const options = {
    headers: {'Authorization': 'Bearer ' + ScriptApp.getIdentityToken()},
    muteHttpExceptions: true
  }
  var result = UrlFetchApp.fetch('https://APP-ENGINE-URL.appspot.com', options);
  Logger.log(result);
}

And the manifest file:

{
  "timeZone": "Europe/London",
  "dependencies": {
  },
  "exceptionLogging": "STACKDRIVER",
  "runtimeVersion": "V8",
  "oauthScopes": ["openid", "https://www.googleapis.com/auth/script.external_request"]
}

Any help on this is super appreciated! Never posted here before, but pretty desperate and couldn't find anyone with this exact problem on SO.

TheMaster
  • 32,296
  • 6
  • 31
  • 56
lblnd
  • 33
  • 3

1 Answers1

2

Consideration

The problem with your solution is that you are using the identity of an auto-generated OAuth Client for Apps Script. This clients are not suitable for this kind of authentication, here a complete list of supported OAuth clients.

Solution

In order to complete your authentication you will need an extra step. You will have to create another OAuth Client and build an identity token with its credentials.

To make things easier I would recommend to use this Apps Script library: https://github.com/gsuitedevs/apps-script-oauth2

The inital Set-up is covered in the linked documentation.

Important: When creating the OAuth Client take note of the ClientID and the Client-secret. Plus, you will need to add an Authorized Redirect URI. This is standard when using the OAuth2 GAS library and it has this form: https://script.google.com/macros/d/{Your Apps Script ID}/usercallback

Now you have all the necessary information to build your identity token. In the Github repository there is a boilerplate sample that will cover the first coding steps with the OAuth2 GAS library.

Here is the link.

Copy this code to your Apps Script project and follow the instructions in the comments. You will need to add an extra OAuth scope: "https://www.googleapis.com/auth/userinfo.email".

Once you set all the constants with your OAuth clients information you should run the run() function from your Apps Script editor. This will log a URL you have to open in your browser to authorize your App. Once you authorized the App run again the run() function and you will successfully access your IAP protected application.

References

OAuth2 GAS library

IAP programmatic authentication

Alessandro
  • 2,416
  • 1
  • 6
  • 14
  • Thanks so much for this, totally fixed my issue and it's working perfectly now! Think I was having such trouble because I don't understand the relationship between OpenID and OAuth2, so will do more research into that to avoid similar problems in future. Thanks again! – lblnd Jun 30 '20 at 16:33