I have 2 services on GKE where 1 (Service A) is configured with an HttpRoute, and the other is internal (Service B). Service A is configred with IAP. Service A is a webserver where a user might try and access a website but will be redirected to an oAuth screen (from IAP). When a user signs in, they are able to see the website fine but when they try and complete a privlidged action, I want to use IAM to possibly prevent them.
Currently if the user makes a request it hits Service A, where the request contains the "X-Goog-Iap-Jwt-Assertion" header. However, if i then make a request to Service B, this header is stripped and the request to Service B is unauthenticated.
Service B makes a request to firestore with the authenticated users context, which obviously fails.
How do I authenticate the user using IAP such that the authentication will persist when calling Service B?
I tried virtually everything the Google Cloud IAP docs had suggested.
For security reason, you can't reuse the token sent by the client and validated by IAP. That's why you have only assertion and email of the user.
If you want to reach the service B, you need to forge a new token to be able to call the service B. You can pass the user authentication (email) in an additional header or in the body of the request, but you can't sign the new token on behalf the user.