Search code examples
firebasegoogle-app-enginegoogle-cloud-platformidentity-aware-proxy

Google Cloud IAP: How to access App Engine API (protected by IAP) from a web application hosted on a separate Firebase project?

This is my setup

Multiple Python APIs hosted on App Engine Angular client application hosted on Firebase. Users accessing the web application are authenticated by Firebase Auth.

When trying to send requests to the APIs hosted on App Engine from the application, an error is encountered.

401 Unauthorized: Invalid IAP credentials: empty token

Tried following multiple online articles but there were a few problems I discovered.

  1. The Firebase web application and the App Engine APIs are on separate Google Cloud projects
  2. Majority solutions have the web application itself deployed on App engine and hence the OAuth process for authenticating end users is pretty straightforward. My project uses Firebase authentication to allow users to access my Firebase hosted webapp. Completely disconnected from IAP.

Is there any way I can use a service account to programmatically authenticate my Firebase web app as a secure IAP user and access the APIs?

Solution

  • Haven't tried this...

    1. You can programmatically make calls to an IAP secured endpoint using an OIDC token. See documentation

    2. So maybe your flow should be -

      a) Users login to your Firebase App (follow whatever authentication method you like).

      b) Then you programmatically make calls to the IAP app (following the link above) on behalf of the users