Managing Cloud IAP sessions

This page describes how Cloud Identity-Aware Proxy (Cloud IAP) handles a request with an expired session and how to make sure that AJAX application requests are successful.

Cloud IAP currently handles sessions as follows:

  • Cloud IAP sessions are valid for one hour.
    • Cloud IAP re-checks Cloud Identity and Access Management (Cloud IAM) authorization for new requests during valid sessions.
    • If an account is suspended while a valid session is open, it can take a few minutes to take effect.
  • Cloud IAP returns different responses for expired sessions based on the type of request:
    • AJAX requests: Cloud IAP returns an HTTP 401: Unauthorized response code. This is because of HTTPS Cross-Origin Resource Sharing (CORS) restrictions in the Google OAuth server. Note that AJAX request detection can't be done perfectly. If you're getting a 302 response instead of 401 to AJAX requests, an X-Requested-With header with a value of "XMLHttpRequest" can be added to AJAX requests. This tells Cloud IAP that the request originates from JavaScript.
    • Non-AJAX requests: the user is redirected to the Google OAuth flow to refresh the session. If the user is still signed in to Google, this redirect is transparent.

To make sure that AJAX application requests are successful, use the following special URLs to refresh the user session:

URL Function
/_gcp_iap/do_session_refresh Force re-authentication and redirect to /_gcp_iap/session_refresher.
/_gcp_iap/session_refresher Serves a page that refreshes to /_gcp_iap/do_session_refresh after 45 minutes.

Setting up AJAX session refresh

To set up AJAX session refresh to work with Cloud IAP, implement one of the following solutions:

  • Modify your application code to handle the HTTP 401 response. -or-
  • Add an iFrame in the application to point to the session refresher. -or-
  • Instruct your users to load the session refresher in a separate tab.

Handling the HTTP 401 response

The best way to handle the HTTP 401 response is for your app to handle it programmatically. To do this, you'll update your application code to handle the error, provide a refresh link, and close the window.

Step 1: Modify your application code

The following example shows how to modify your application code to handle the HTTP 401 response and provide a session refresh link to the user:

if (response.status === 401) {
  statusElm.innerHTML = 'Login stale. <input type="button" value="Refresh" onclick="sessionRefreshClicked();"/>';

Step 2: Install an onclick handler

The sample code below installs an onclick handler that closes the window after the session is refreshed:

var iapSessionRefreshWindow = null;

function sessionRefreshClicked() {
  if (iapSessionRefreshWindow == null) {
    iapSessionRefreshWindow ="/_gcp_iap/do_session_refresh");
    window.setTimeout(checkSessionRefresh, 500);
  return false;

function checkSessionRefresh() {
  if (iapSessionRefreshWindow != null && !iapSessionRefreshWindow.closed) {
    fetch('/favicon.ico').then(function(response) {
      if (response.status === 401) {
        window.setTimeout(checkSessionRefresh, 500);
      } else {
        iapSessionRefreshWindow = null;
  } else {
    iapSessionRefreshWindow = null;

Adding an iFrame

If you aren't handling the HTTP 401 response by updating your application code, the next best solution is to add an iFrame in your application that points to the session refresher. For example:

<iframe src="/_gcp_iap/session_refresher" style="width:0;height:0;border:0; border:none;"></iframe>

Loading the session refresher

If you aren't able to handle the HTTP 401 response by updating your application code or adding an iFrame, you'll need to instruct your users to load the session refresher. To do so, include an instruction in your app or its documentation for the user to keep a separate browser tab open to the following URL: https://YOUR_APP/_gcp_iap/session_refresher

Was this page helpful? Let us know how we did:

Send feedback about...

Identity-Aware Proxy Documentation