Getting the user's identity

This page describes how to get a user's identity with Identity-Aware Proxy (IAP). Getting the user's identity enables your application to verify that a request came through IAP. To properly secure your app, you must always use one of the mechanisms below to get the IAP-authenticated user identity.

Getting the user's identity with signed headers

To make sure a request to your Compute Engine, GKE, Cloud Run, App Engine standard environment, or App Engine flexible environment app was authorized by IAP, your app must validate every request by checking the x-goog-iap-jwt-assertion HTTP request header. Learn about securing your app with signed headers.

IAP also passes the user's identity to your backend service in the following HTTP headers. These headers should have the namespace prefix accounts.google.com. These headers are available for compatibility, but you shouldn't rely on them as a security mechanism. If you use these headers, you must compare them against the identity information from the authenticated JWT header listed above.

Header name Description Example value
X-Goog-Authenticated-User-Email The user's email address accounts.google.com:example@gmail.com
X-Goog-Authenticated-User-Id A persistent, unique identifier for the user. accounts.google.com:userIDvalue

Getting the user's identity with the App Engine standard environment Users API

Alternatively, if you have an App Engine standard environment app, the Users API can be used to get the user's identity in your app code.

If your application already uses this API, you don't need to change anything. IAP provides the user's identity, but the value for each user's Users API user ID will change when IAP is turned on.

To get the IAP-verified user identity for a request, call the Users API to return the current user. If the function returns a user, such as req.getUserPrincipal() != null in Java, the user was authenticated by IAP.

When IAP is enabled, the first time a user accesses your app, they're redirected to a consent screen to confirm that they want to share their identity with your app. This occurs even if the user granted consent to this app before you enabled IAP, and will occur again if you disable IAP and then re-enable it.

If you're using the Users API, it normally suppresses the consent screen for apps and users that are within the same Google Workspace domain. When you enable IAP, the consent screen isn't automatically suppressed. To suppress the consent screen with IAP enabled, follow the steps below:

  1. Go to your Google Admin console.
    Go to the Admin console
  2. On the list of controls, select Security.
    1. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
    2. If you can't see the controls, make sure you're signed in as an administrator for the domain.
  3. On the list of options, select Show more and then Advanced settings.
  4. In the Authentication section, select Manage API client access.
  5. In the Client Name field, enter the IAP OAuth 2.0 client ID. You can find the IAP client ID on the Credentials page.
    Go to the IAP credentials page
  6. In the One or More API Scopes field, enter email, openid.
  7. Click Authorize.

To simplify this process, you can use an API call to use a single IAP OAuth 2.0 client ID for all apps. You can't use the Google Cloud console to specify the client ID to use with IAP.

What's next