Getting the user's identity

This page describes how to get a user's identity with Cloud Identity-Aware Proxy (Cloud IAP). Getting the user's identity enables your application to verify that a request came through Cloud IAP. To properly secure your app, you must always use one of the mechanisms below to get the Cloud IAP-authenticated user identity.

Getting the user's identity in App Engine standard environment

To get the user's identity in your app code, use the App Engine standard environment Users API. If your application already uses this API, you don't need to change anything. Cloud IAP provides the user's identity and existing user IDs don't change.

To get the Cloud IAP-verified user identity for a request, call the Users API function to return the current user. If the function returns a user, such as req.getUserPrincipal() != null in Java, the user was authenticated by Cloud IAP.

Getting the user's identity in Compute Engine, Kubernetes Engine, and App Engine flexible environment

To make sure a request to Compute Engine, Kubernetes Engine, or App Engine flexible environment Beta was authorized by Cloud IAP, your application must validate every request by checking the HTTP request header x-goog-iap-jwt-assertion. Learn about securing your app with signed headers.

Cloud IAP also passes the user's identity to your backend service in the following HTTP headers. These headers should have the namespace prefix accounts.google.com. These headers are available for compatibility, but you shouldn't rely on them as a security mechanism. If you use these headers, you must compare them against the identity information from the authenticated JWT header listed above.

Header name Description Example value
X-Goog-Authenticated-User-Email The user's email address accounts.google.com:example@gmail.com
X-Goog-Authenticated-User-ID A persistent, unique identifier for the user. accounts.google.com:userIDvalue

When Cloud IAP is enabled, the first time a user accesses your app, they're redirected to a consent screen to confirm that they want to share their identity with your app. This occurs even if the user granted consent to this app before you enabled Cloud IAP, and will occur again if you disable Cloud IAP and then re-enable it.

If you're using the Users API, it normally suppresses the consent screen for apps and users that are within the same G Suite domain. When you enable Cloud IAP, the consent screen isn't automatically suppressed. To suppress the consent screen with Cloud IAP enabled, follow the steps below:

  1. Go to your G Suite Admin console.
    Go to the Admin console
  2. On the list of controls, select Security.
    1. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
    2. If you can't see the controls, make sure you're signed in as an administrator for the domain.
  3. On the list of options, select Show more and then Advanced settings.
  4. In the Authentication section, select Manage API client access.
  5. In the Client Name field, enter the Cloud IAP OAuth 2.0 client ID. You can find the Cloud IAP client ID on the Credentials page.
    Go to the Cloud IAP credentials page
  6. In the One or More API Scopes field, enter email, openid.
  7. Click Authorize.

To simplify this process, you can use an API call to use a single Cloud IAP OAuth 2.0 client ID for all apps. You can't use the Cloud Platform Console to specify the client ID to use with Cloud IAP.

What's next

Send feedback about...

Identity-Aware Proxy Documentation