Authenticate users with external identities
This quickstart shows you how to secure an app using Identity-Aware Proxy (IAP) and external identities. By combining IAP and Identity Platform, you can authenticate users with a wide range of identity providers, such as OAuth, SAML, and OIDC, in addition to Google Accounts.
In this quickstart, you'll secure a sample App Engine app using Facebook authentication.
Before you begin
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Make sure that billing is enabled for your Google Cloud project.
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
Initialize App Engine for your project:
gcloud app create --project=project-id
Install a current version of Node.js.
Install the Firebase command-line tool:
npm install -g firebase-tools
Enable the APIs
First, enable Identity Platform:
Go to the Identity Platform Marketplace page in the Google Cloud console.
Click Enable Identity Platform. The Identity Platform page appears in the Google Cloud console.
Then, enable IAP:
Go to the IAP page in the Google Cloud console.
Select the same project you used for Identity Platform. Using different projects is not supported.
Click Enable API.
Download and deploy the sample code
The code for this quickstart has two components: a client app and an authentication app.
The client app is protected by IAP. When it receives a request from an unauthenticated user, it redirects the request to the authentication app to verify the user's identity. If the user signs in successfully, the authentication app responds with a JSON Web Token (JWT). For demonstration purposes, the client app displays the JWT.
First, download the code, and deploy the client app:
Download the sample code:
git clone https://github.com/GoogleCloudPlatform/iap-gcip-web-toolkit.git
Change to the client app directory:
cd iap-gcip-web-toolkit/sample/app
Install dependencies:
npm install
Deploy the client app to App Engine:
npm run deploy
The client app launches at the URL:
https://[PROJECT-ID].appspot.com
Next, deploy the authentication app:
Change to the directory for the authentication app:
cd ../authui-firebaseui
Install dependencies:
npm install
Configure the authentication app to use Firebase Hosting. Specify the Google Cloud project ID of the Google Cloud project that contains the IAP protected client app:
firebase use project-id
Deploy the app:
npm run deploy
The authentication app launches at the URL:
https://[PROJECT-ID].firebaseapp.com
You've deployed the client and authentication apps! The next step is to configure Identity Platform and IAP.
Set up Identity Platform
IAP uses Identity Platform to authenticate external identities. This quickstart uses Facebook as an example, but Identity Platform supports a wide range of identity providers.
Create a Facebook app
To authenticate users with Facebook, you need an App ID and App Secret.
Log in to Facebook for Developers. If you don't already have a Facebook account, you'll need to create one.
Go to Facebook's Apps page.
Click Add a New App.
In the left menu, select Settings > Basic.
In the Privacy Policy URL box, enter any valid URL. If you deploy the app to production later, you can update the URL to point to your privacy policy.
Take note of your App ID and App Secret. You'll need these in the next section.
Add Facebook as an identity provider
Configure Identity Platform to use Facebook for authentication:
Go to the Identity Providers page in the Google Cloud console.
Click Add a Provider.
Select Facebook from the list of providers.
Enter the App ID and App Secret you obtained in the previous section.
Click Save.
Configure the OAuth redirect URI
When Facebook finishes processing a request from the authentication app, it needs a URI to redirect to.
Return to Facebook's Apps page and select your app.
In the left menu, click Products.
Locate the Facebook Login product, and click Set Up.
In the left navigation menu, select Settings (you don't need to complete the guided quickstart flow).
In the Valid OAuth Redirect URIs box, enter the redirect URI:
https://project-id.firebaseapp.com/__/auth/handler
You can also find this URI in the Identity Platform provider configuration page.
Click Save Changes.
You're finished setting up Identity Platform! Now you can configure IAP to use it for authentication.
Enable IAP to use external identities
Go to the IAP page in the Google Cloud console.
Click the APPLICATIONS tab.
Select the sample App Engine app you deployed earlier. The URL in the Published category should look similar to:
https://project-id.appspot.com
In the IAP column, toggle the switch to On.
In the side panel, click Start for Use external identities for authorization.
Under Sign-in page, select I'll provide my own.
In the Authentication URL field, enter the URL of the authentication app. It should look something like:
https://project-id.firebaseapp.com/
After you enter the URL, the Google Cloud console automatically appends your API key.
Check the box with your project name. It should have Facebook listed as an identity provider.
Click Save.
You've finished setting up IAP.
Test user authentication
To test that IAP is protecting your app and authenticating users with Facebook:
Go to the client App Engine app in your browser:
https://project-id.appspot.com
After a brief loading screen, you are redirected to the Identity Platform sign-in page.
Follow the on-screen prompts to authenticate with Facebook.
You should be redirected back to the client app, which will display the JWT returned by Identity Platform.
To completely sign out, you must sign out of the sample app that you created and Facebook. You must sign out of both apps because Firebase establishes a session with Facebook that is valid for one hour. For more information, see Manage User Sessions.
Congratulations! You successfully deployed an app to App Engine and protected it with IAP and external identities.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.
- In the Google Cloud console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.
Additionally, you may wish to delete the Facebook app you created.
What's next
- Customize your authentication UI with FirebaseUI, or build a custom UI from scratch.
- Learn more about configuring identity providers with Identity Platform.
- Learn how to create unique silos of users and configurations with Identity Platform multi-tenancy.