Given a client-side app (written in Angular, but it's not much important) where I use google-api-javascript-client library to authenticate users. In a way described here - https://developers.google.com/sheets/api/quickstart/js:
gapi.load('client:auth2', () => {
gapi.client.init({
clientId: CLIENT_ID,
scope: SCOPES,
discoveryDocs: DISCOVERY_DOCS
}).then(() => {
gapi.auth2.getAuthInstance().isSignedIn.listen(this.onSigninStatusChanged.bind(this));
const isSignedIn = gapi.auth2.getAuthInstance().isSignedIn.get();
if (!isSignedIn) {
gapi.auth2.getAuthInstance().signIn({prompt: 'select_account'});
}
});
});
Now I want to access a backend in AppEngine behind Identity-Aware Proxy (IAP).
I tried naively to pass a token from GoogleUser via http request's authorization header, but it doesn't seem to work (getting 401):
let token = gapi.auth2.getAuthInstance().currentUser.get().getAuthResponse().id_token;
this.http.get<Config>('https://myservice-dot-myproject.ew.r.appspot.com/api/get',
{
headers: { 'Authorization': 'Bearer ' + token}
});
I guess I need somehow to use OAuth Client ID from IAP.
I found a sample on how to do it with nodejs auth client.
But can't find a way to do it with the client-side google-api-javascript-client
lib.
UPDATE:
I found a nice online resource to verify token that I got from GoogleUser.getAuthResponse().id_token
- https://oauth2.googleapis.com/tokeninfo?id_token=token (source), it display the following:
{
"iss": "accounts.google.com",
"azp": "my OAuth Client ID that I used in gapi (CLIENT_ID)",
"aud": "OAuth Client ID that I used in gapi (CLIENT_ID)",
"sub": "user id (number)",
"hd": "Google user GSuite domain",
"email": "Google user email",
"email_verified": "true",
"at_hash": "some hash",
"name": "Google user name",
"picture": "an url",
"given_name": "Google user firstname",
"family_name": "Google user lastname
"locale": "en",
"iat": "1615972232",
"exp": "1615975832",
"jti": "87129b6c0f684b0bc7beac9df5e522e6272c13f1",
"alg": "RS256",
"kid": "6a8ba5652a7044121d4fedac8f14d14c54e4895b",
"typ": "JWT"
}