Using service accounts with external identities

This article shows you how to authenticate using service accounts when you're using Identity-Aware Proxy (IAP) with external identities.

Obtaining your client ID and secret

  1. Go to the IAP page in the Cloud Console.

    Go to the IAP page

  2. Click the HTTP Resources tab.

  3. Locate the app to configure to use service accounts.

  4. Select Show client ID from the overflow menu.

A page displaying the client ID and secret for your app appears. You'll need these to configure Identity Platform in the next section.

Configuring Google as an identity provider

If your Identity Platform project isn't already using Google for authentication, create a new configuration using your client ID and secret:

  1. Go to the Identity Platform Providers page in the Cloud Console.
    Go to the Identity Providers page

  2. If you are using Identity Platform multi-tenancy, select the tenant associated with your IAP resource.

  3. Click Add provider.

  4. Select Google from the list of providers.

  5. Under Web SDK configuration, enter the client ID and secret you obtained in the previous section.

  6. Click Save.

If you're already using Google authentication, you can whitelist your client ID instead. This won't disrupt your existing users.

  1. Go to the Identity Platform Providers page in the Cloud Console.
    Go to the Identity Providers page

  2. If you are using Identity Platform multi-tenancy, select the tenant associated with your IAP resource.

  3. Locate Google in the list of providers, and click Edit.

  4. Under Whitelisted client IDs, click Add.

  5. Enter the client ID you obtained in the previous section.

  6. Click Save.

Exchanging a Google token for an Identity Platform token

When you first authenticate with Google, Identity Platform will return a Google ID token. You can then exchange it for an Identity Platform token by calling signInWithIdp:

Node.js

import * as firebase from 'firebase/app';
import 'firebase/auth';

const config = {
  apiKey: '...',
};
firebase.initializeApp(config);
const cred = firebase.auth.GoogleAuthProvider.credential(google_oidc_id_token);
firebase.auth().signInWithCredential(cred)
  .then((userCredential) => {
    return userCredential.user.getIdToken();
  })
  .then((gcipIdToken) => {
    // This token can now be used to access the resource.
  })
  .catch((error) => {
    // Error occurred.
  });

Python

SIGN_IN_WITH_IDP_API = 'https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp'

def exchange_google_id_token_for_gcip_id_token(api_key, tenant_id, google_open_id_connect_token):
  url = SIGN_IN_WITH_IDP_API + '?key=' + api_key
  data={'requestUri': 'http://localhost',
        'returnSecureToken': True,
        'postBody':'id_token=' + google_open_id_connect_token + '&providerId=google.com',
        'tenantId': tenant_id}
  resp = requests.post(url, data)
  res = resp.json()
  return res['idToken']

REST

Request:

POST https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp?key=API-KEY

Body:

{
"postBody":"id_token=GOOGLE-ID-TOKEN&providerId=google.com"
"requestUri": "http://localhost",
"returnIdpCredential": true,
"returnSecureToken": true,
"tenantId": "TENANT-ID"
}

Include the Identity Platform ID token in your authorization header to access resources by IAP:

curl -H "Authorization: Bearer GCIP-ID-TOKEN" "https://example.appspot.com/api"

Note that external identities do not support IAM, so you'll need to manually update your app's access control to grant access to your service account. See JWTs for external identities to learn more.