This page describes how to get a user's identity with Identity-Aware Proxy (IAP). Getting the user's identity enables your application to verify that a request came through IAP. To properly secure your app, you must always use one of the mechanisms below to get the IAP-authenticated user identity.
Getting the user's identity with signed headers
To make sure a request to your Compute Engine, GKE,
App Engine standard environment, or App Engine flexible
environment app was authorized by IAP, your app must
validate every request by checking the
x-goog-iap-jwt-assertion HTTP request
header. Learn about
securing your app with signed headers.
IAP also passes the user's identity to your backend service
in the following HTTP headers. These headers should have the namespace prefix
accounts.google.com. These headers are available for compatibility,
but you shouldn't rely on them as a security mechanism. If you use these
headers, you must compare them against the identity information from the
authenticated JWT header listed above.
|Header name||Description||Example value|
||The user's email address||
||A persistent, unique identifier for the user.||
Getting the user's identity with the App Engine standard environment Users API
Alternatively, if you have an App Engine standard environment app, the Users API can be used to get the user's identity in your app code. Note that the Users API doesn't support Python 3.
If your application already uses this API, you don't need to change anything. IAP provides the user's identity, but the value for each user's Users API user ID will change when IAP is turned on.
To get the IAP-verified user identity for a request, call
the Users API to return the current
user. If the function returns a user, such as
req.getUserPrincipal() != null
in Java, the user was authenticated by IAP.
When IAP is enabled, the first time a user accesses your app, they're redirected to a consent screen to confirm that they want to share their identity with your app. This occurs even if the user granted consent to this app before you enabled IAP, and will occur again if you disable IAP and then re-enable it.
If you're using the Users API, it normally suppresses the consent screen for apps and users that are within the same Google Workspace domain. When you enable IAP, the consent screen isn't automatically suppressed. To suppress the consent screen with IAP enabled, follow the steps below:
- Go to your Google Workspace Admin Console.
Go to the Admin console
- On the list of controls, select Security.
- If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
- If you can't see the controls, make sure you're signed in as an administrator for the domain.
- On the list of options, select Show more and then Advanced settings.
- In the Authentication section, select Manage API client access.
- In the Client Name field, enter the IAP OAuth
2.0 client ID. You can find the IAP client ID on the
Go to the IAP credentials page
- In the One or More API Scopes field, enter
- Click Authorize.
To simplify this process, you can use an API call to use a single IAP OAuth 2.0 client ID for all apps. You can't use the Cloud Console to specify the client ID to use with IAP.
- Learn more about Identity and Access Management.