I have an AppEngine application that is behind an IAP (identity-aware proxy), so it receives requests that are authenticated and include a JWT token. From the AppEngine application I want to make a request to the Google Sheets API. That also requires an authenticated connection, but given that I want that connection to be made under the same user that accessed the application via the IAP, does anyone know how to create a request from inside the AppEngine application that will forward the token to Google Sheets? Cannot find any information on the subject... I am using Java, so any Java pointers would be appreciated, but general/other language help is good too
...
Forwarding OAuth 2 credentials from an authenticated request (in GCP specifically)
377 Views Asked by fedmest At
1
There are 1 best solutions below
Related Questions in GOOGLE-APP-ENGINE
- AngularJS, Google App Engine and URLrewrite
- Optimizing for Social Leaderboards
- Getting entity with a join table GAE
- Custom exception message from google endpoints exception
- Unable to deploy an application module on AppEngine
- How to use CachedRowSet in Google App Engine?
- How can I create a docker image from the current system?
- Google datastore multiple values for the same property
- Google Cloud Storage sort directory by name
- Adding custom domain for Google App Engine WordPress site
- Arguments to Endpoints method change order
- Could someone bring Google OAuth2 for Cloud DNS via Rest to light?
- DNS_PROBE_FINISHED_NXDOMAIN on Google App Engine website
- GAE python - client_secrets.json 'File not found' - app.yaml error?
- Images not working in Google App Engine email
Related Questions in GOOGLE-CLOUD-PLATFORM
- Google Logging API - What service name to use when writing entries from non-Google application?
- Custom exception message from google endpoints exception
- Unable to connect database of lamp instance from servlet running on tomcat instance of google cloud
- How to launch a Jar file using Spark on hadoop
- Google Cloud Bigtable Durability/Availability Guarantees
- How do I add a startup script to an existing VM from the developer console?
- What is the difference between an Instance and an Instance group
- How do i change files using ftp in google cloud?
- How to update all machines in an instance group on Google Cloud Platform?
- Setting up freeswitch server on Google cloud compute
- Google Cloud Endpoints: verifyToken: Signature length not correct
- Google Cloud BigTable connection setup time
- How GCE HTTP Cross-Region Load Balancing implemented
- Google Cloud Bigtable compression
- Google cloud SDK code to execute via cron
Related Questions in OAUTH-2.0
- Not getting refresh token with google oauth2
- SoundCloud Authentication Consistently Returns 401 invalid_grant For Some Users
- How can I share Azure Active Directory authentication between server side and client script?
- OAuth2 and API Json request not working with jQuery Call
- Flask-Restful, oauth, and Salesforce
- Bearer token in MVC controller to access Web API
- Revoking OAuth tokens in Mule
- how to signup user using google-plus integradation in web?
- Need to run getAuthToken twice before receiving access token, why?
- chrome.identity.getAuthToken and refresh token?
- dropbox api authentication (Error: [400] 'invalid_client')
- Retrieve Google Sites's Domain Index feed using OAuth 2.0 with Service Account
- hello.js: Is it possible to set the provider's settings dynamically?
- How to share developer account at LinkedIn
- Linkedin Unsupported POST target
Related Questions in GOOGLE-OAUTH
- Not getting refresh token with google oauth2
- getting google contacts using shuttlecloud
- How to use Authentication again after it was granted prevously
- Youtube API - Listing hidden videos of my channel using OAuth
- How can I make a copy of a file in Google Drive via Python?
- Error "Invalid token: Cannot parse referred token string" when trying to access to Picasaweb API with oAuth2 from Java
- Need to run getAuthToken twice before receiving access token, why?
- Retrieve Google Sites's Domain Index feed using OAuth 2.0 with Service Account
- On App Engine using Go, correct method for using OAuth2
- Google App Engine Python - YouTube API v3 - Insufficient Permission
- How to set redirect URI with pattern for OAuth 2 with Google?
- Not able to extract access token google service account
- What Google Account is associated with an OAuth Client ID?
- Accessing Google api with multi user
- Unauthorized Client Exception with Google Drive Service Account
Related Questions in GOOGLE-CLOUD-IDENTITY-AWARE-PROXY
- Google Cloud - Passing user info from IAP to Cloud Run
- Get user's email in google cloud run application
- Gmail Access Filter for GCP VM Instance
- How do I fix an "Unable to parse JWT" error on Identity Aware Proxy?
- Allow communication between an SPA and REST API with IAP in between
- GCP IAP with GCIP method - check verified email by IAP proxy
- When creating a device-based access level in Google Access Context Manager, Device Policy attributes not an option via console
- Add firewalls to IAP secured App Engine app with Member: allUsers granted 'IAP-secured Web App User'
- Does Identity-Aware Proxy re-use an IP address for simultaneous users?
- Is there a way to connect Cloud Builld through proxy to GKE priivate cluster?
- Least privilege IAM setup for managing a GKE private cluster using a bastion host
- What can be the solution to error code 1006 on GCP?
- 'gcloud alpha iap oauth-brands create' getting INVALID PARAMETER
- Adding Google accounts to Cloud Identity Groups
- Google Cloud IAP CORS policy is blocking my web app from calling the IAP-protected API
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
I will describe the 2 approach proposed in the comment
This second approach is the best one (don't forget to correctly log the user request and the subsequent sheet API calls in your AppEngine app to have the end to end traceability). BUT, and it's for that you ask this question, it's impossible with the App Engine default service account.
In fact, to access to the Sheet API, you need to scope your access token with the Sheet API. Sadly, you can't do this with App Engine. You can do this with Cloud Run, Cloud Functions, Compute Engine (without the default service account, else you need an extra config to achieve this with the Compute Engine default service account). But not with App Engine.
So, you have 2 solutions:
Note: later in 2021, App Engine should be able to accept custom service account, and thus the issue should be solved