Accessing non-Google resources programmatically

This article shows you how to programmatically access a resource protected by Identity-Aware Proxy (IAP) using external identities.

There are several situations where you might want to do this:

  • Your frontend application leverages Identity Platform directly. Your backend API server is built using App Engine, and protected by IAP using external identities.

  • Your application is designed for use in a non-traditional browser environment, such as on Android, iOS, or the command-line, where using a browser redirect to authenticate users is infeasible.

Accessing resources

To access a resource programmatically, follow these steps:

  1. Retrieve the user's ID token.

    Node.js

    Ensure the user is signed in. The code below shows a simple example of signing in a user with an email and password:

    // If signing in using project-level email/password IdP.
    // auth.tenantId = null; // This is null by default.
    // For signing in to a specific tenant using email/password.
    auth.tenantId = 'myTenantId';
    auth.signInWithEmailAndPassword(email, password)
      .then((user) => {
        // User signed in. ID token can now be retrieved.
      })
      .catch((error) => {
        // Handler error.
      });
    

    You can then retrieve an ID token on the user object:

    user.getIdToken()
      .then((idToken) => {
        // idToken is now available and can be sent to API server.
      })
      .catch((error) => {
        // Handler error.
      });
    

    REST

    Calling signInWithPassword returns an ID token in the response:

    curl 'https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=API-KEY' \
    -H 'Content-Type: application/json' \
    --data-binary '{
      "email":"EMAIL",
      "password":"PASSWORD",
      "returnSecureToken":true,
      "tenantId":"TENANT-ID" # Only used in multi-tenancy
      }'
    
  2. Include the ID token in the authorization header when calling an endpoint protected by IAP.

    curl -H "Authorization: Bearer GCIP-ID-TOKEN" "https://example.appspot.com/api"