Is it possible to get user group membership from Google Cloud Identity Aware Proxy generated token

I would like to add user groups membership information to JWT token generated from Identity Aware Proxy.We could handle this by calling Directory API from our applications after getting user identifier by decoding JWT token, but we need to configure Service Account with GSuite Domain Delegation and then manually configure GSuite Security to allow this account to call Directory API.I don't want to perform all these steps for all my applications, and ideally, I would like to avoid implementing an Authorization Server when IAP looks to have access...Read more

Google Idenity Aware Proxy Authenticate with API on SPA

I'm curious what is the "best practice" for authenticating against a restful-api that is protected by Google IAP.Allow me to break it down step by step to elucidate what I am trying to achieve:Go to my dev environment's url: dev.blah.com. Here, I am prompted by IAP to log-in. I log in. I now have access to my SPA.I am browsing my SPA. But! I'm unable to talk to my API, because it is ALSO protected by IAP.I've read that I can do programmatic authentication in the documentation but I'm unsure if my particular use case is suited for programmatic a...Read more

Fine grained security with Google Cloud Identity Aware Proxy

The context is wanting to use Google IAP to secure access for a set of business and individual customers. There is a single central service running in the Google cloud which supports multiple customers and hence multiple non-overlapping security zones. It is not economic to dedicate a service per security zone.Per //cloud.google.com/iap/docs/signed-headers-howto the user information available is their email and a long term google user id. However, there may be multiple authorized users (employees) for a given business security zone.Is there a s...Read more

Browser blocks API requests on SPA protected by Google IAP

I have a problem that started recently in a web application protected by Google Identity Aware Proxy.Here's my setup:An API GKE pod, served by a backend service, protected by IAP.An SPA GKE pod, service by a backend service, protected by IAP.The two backend services are configured to use the same OAuth client ID.The API and the SPA are serving off the same domain - the SPA is serving off example.domain.com and the API is serving off example.domain.com/api.The SPA calls the API from JavaScript (using axios) inside the web browser.A very similar ...Read more