Authenticating Against an IAP Protected Resource with Bearer Header?

梦想与她 提交于 2020-02-29 10:09:37

问题


Is it possible to use an Authorization: Bearer … header to make a request through Identity Aware Proxy to my protected application? (Using a service account, of course. From outside GCP.)

I would like to not perform the OIDC token exchange, is this supported?

If so, does anyone have any examples?

So far, I have the following but it doesn't work:

iat = time.time()
exp = iat + 3600
payload = {'iss': account['client_email'],
           'sub': account['client_email'],
           'aud': '/projects/NNNNN/apps/XXXXXXX',
           'iat': iat,
           'exp': exp}
additional_headers = {'kid': account['private_key']}
signed_jwt = jwt.encode(payload, account['private_key'], headers=additional_headers,
                       algorithm='RS256')

signed_jwt = signed_jwt.decode('utf-8')

This produces: Invalid IAP credentials: JWT signature is invalid.


回答1:


this is not currently supported. IAP is expecting a signature generated by the Google accounts infrastructure using its private key, so that's why the signature check is failing. Could you tell me more about why you'd like to avoid the OIDC token exchange? --Matthew, Google IAP Engineering



来源:https://stackoverflow.com/questions/59975694/authenticating-against-an-iap-protected-resource-with-bearer-header

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!