This page describes how to get a user's identity with Cloud Identity-Aware Proxy (Cloud IAP). Getting the user's identity enables your application to verify that a request came through Cloud IAP. To properly secure your app, you must always use one of the mechanisms below to get the Cloud IAP-authenticated user identity.
Getting the user's identity in App Engine standard environment
To make sure that all requests have an authenticated identity, modify your app config as described below.
For Java apps, add the following to
<security-constraint> <web-resource-collection> <web-resource-name>all</web-resource-name> <url-pattern>*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint>
To get the user's identity in your app code, use the App Engine standard environment Users API. If your application already uses this API, you don't need to change anything. Cloud IAP provides the user's identity and existing user IDs don't change.
To get the Cloud IAP-verified user identity for a request, call the Users API function to return the current user. If the function returns a user, such as
req.getUserPrincipal() != null in Java, the user was authenticated by Cloud IAP.
Getting the user's identity in Compute Engine, Container Engine, and App Engine flexible environment
To make sure a request was authorized by Cloud IAP, your application must validate every request by checking the following header:
||A secure, signed header that contains user information in its ID token payload. Learn about Securing Your App with Signed Headers.|
Cloud IAP also passes the user's identity to your backend service in the following HTTP headers. These headers should have the namespace prefix
accounts.google.com. These headers are available for compatibility, but you shouldn't rely on them as a security mechanism. If you use these headers, you must compare them against the identity information from the authenticated JWT header listed above.
|Header name||Description||Example value|
||The user's email address||
||A persistent, unique identifier for the user.||
When Cloud IAP is enabled, the first time a user accesses your app, they're redirected to a consent screen to confirm that they want to share their identity with your app. This occurs even if the user granted consent to this app before you enabled Cloud IAP, and will occur again if you disable Cloud IAP and then re-enable it.
If you're using the Users API, it normally suppresses the consent screen for apps and users that are within the same G Suite domain. When you enable Cloud IAP, the consent screen isn't automatically suppressed. To suppress the consent screen with Cloud IAP enabled, follow the steps below:
- Go to your G Suite Admin console.
- On the list of controls, select Security.
- If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
- If you can't see the controls, make sure you're signed in as an administrator for the domain.
- On the list of options, select Show more and then Advanced settings.
- In the Authentication section, select Manage API client access.
- In the Client Name field, enter the Cloud IAP OAuth 2.0 client ID. You can find the Cloud IAP client ID on the Credentials page.
Go to the Cloud IAP credentials page
- In the One or More API Scopes field, enter
- Click Authorize.
To simplify this process, you can use an API call to use a single Cloud IAP OAuth 2.0 client ID for all apps. It's not possible to use the Cloud Platform Console to specify the client ID to use with Cloud IAP.
- Learn more about Identity and Access Management.