Invalid IAP credentials: Unable to parse JWT from readme curl cmds
#92
Comments
|
@ravwojdyla thanks for reaching out. I don't think the App Engine app works if you have IAP enabled. You might be able to get your client-side requests through IAP, but the proxy agent has never been updated to support using OIDC tokens to authenticate instead of OAuth access tokens. That means that your requests won't make it all the way through to your backend server. I've sent out #94 to add a note about this to the README There isn't any sort of fundamental reason that we can't support IAP, but it hasn't been a priority because no one is using it with IAP. That's a bit of a circular argument (no one uses this with IAP because we don't support it, and we don't support IAP because no one uses it with IAP...), but it does mean that this isn't a priority for anyone currently working on the inverting proxy. That being said, a pull request to add support for OIDC tokens to the proxy agent would be welcome, as long as it's flag controlled (so that existing users can continue to rely on OAuth tokens). |
|
@ojarjur that explains it, thank you!
Do you foresee it would be something more than adding inverting-proxy/agent/agent.go Line 212 in 6416861 + flags for using IAP and Edit: that was definitely, not enough,
from Line 158 in 6416861 |
|
@ravwojdyla Yeah, it looks like the OIDC token auth and the OAuth user auth are incompatible because they both want to use the same "Authorization" header with different values. We'd need to change I have no idea how much work that would be as I've never done anything with OIDC |
Running readme curl (e.g. list backends) commands returns:
The issue seems to be the token returned by
gcloud auth print-access-token, when I retrieve a token using instructions from https://cloud.google.com/iap/docs/authentication-howto it works fine. Am I doing sth wrong or is the readme outdated?The text was updated successfully, but these errors were encountered: