This article shows you how to programmatically access a resource protected by Identity-Aware Proxy (IAP) using external identities.
There are several situations where you might want to do this:
Your frontend application leverages Identity Platform directly. Your backend API server is built using App Engine, and protected by IAP using external identities.
Your application is designed for use in a non-traditional browser environment, such as on Android, iOS, or the command-line, where using a browser redirect to authenticate users is infeasible.
Accessing resources
To access a resource programmatically using a service account JWT, see Authenticating with a service account JWT.
To access a resource programmatically using an ID token, follow these steps:
Retrieve the user's ID token.
Node.js
Ensure the user is signed in. The code below shows a simple example of signing in a user with an email and password:
// If signing in using project-level email/password IdP. // auth.tenantId = null; // This is null by default. // For signing in to a specific tenant using email/password. auth.tenantId = 'myTenantId'; auth.signInWithEmailAndPassword(email, password) .then((user) => { // User signed in. ID token can now be retrieved. }) .catch((error) => { // Handler error. });You can then retrieve an ID token on the
userobject:user.getIdToken() .then((idToken) => { // idToken is now available and can be sent to API server. }) .catch((error) => { // Handler error. });REST
Calling
signInWithPasswordreturns an ID token in the response:curl 'https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=API-KEY' \ -H 'Content-Type: application/json' \ --data-binary '{ "email":"EMAIL", "password":"PASSWORD", "returnSecureToken":true, "tenantId":"TENANT-ID" # Only used in multi-tenancy }'Include the ID token in the authorization header when calling an endpoint protected by IAP.
curl -H "Authorization: Bearer GCIP-ID-TOKEN" "https://example.appspot.com/api"