使用可识别云身份的代理替换用于网站的Google登录 [英] Replacing Google Sign-In for Websites with Cloud Identity-Aware Proxy
问题描述
对于Metabase支持IAP,有一个开放的功能请求.我对此进行了尝试,并对保护安全中的步骤进行了Clojure实现您的带有签名标头的应用程序(例如,验证令牌标头,验证令牌有效载荷,检索用户身份).
There's an open feature request for Metabase to support IAP. I took a stab at it, and have a Clojure implementation of the steps detailed in Securing your app with signed headers (i.e. verify token header, verify token payload, retrieve user identity).
但是这个问题不一定特定于Metabase.通常的想法是替换Google登录,并且仅使用IAP签名的标头在Google App Engine(特别是GAE flex环境)上的应用程序中进行身份验证和用户创建.
But this question isn't necessarily specific to Metabase. The general idea is to replace Google Sign-In and only use only IAP signed headers for authentication and user creation in an application on Google App Engine (specifically, GAE flex environment).
问题"是来自IAP令牌的用户身份信息看起来像:{"email":"alice@example.com","sub":"accounts.google.com:118133858486581853996"}.我还遇到了使用特殊URL ,但是返回的内容如下: {"email":"accounts.google.com:USER_EMAIL","sub":"accounts.google.com:118133858486581853996"}.
The "problem" is that the user identity information from the IAP token looks like: {"email":"alice@example.com","sub":"accounts.google.com:118133858486581853996"}. I also came across Using special URLs, but this returns something like: {"email":"accounts.google.com:USER_EMAIL","sub":"accounts.google.com:118133858486581853996"}.
使用Google登录令牌,可以获取given_name和family_name以及email的值,这意味着我可以获取或创建有效的Metabase用户.是否可以通过JWT sub(即accounts.google.com:118133858486581853996)获取名字和姓氏?
With a Google Sign-In token, I can obtain values for given_name and family_name along with email, which means I can fetch-or-create a valid Metabase user. Is there a way to get the first and last name via the JWT sub, (i.e. accounts.google.com:118133858486581853996)?
推荐答案
嗯,如果他们有公开个人资料,则可以将"accounts.google.com:"之后的数字传递给 https://developers.google.com/+/web/api/rest/latest/people/get .不幸的是,您将无法以该用户身份通过该API进行身份验证,因为IAP当前尚不提供一种调用方法,可以让用户委派访问权限来调用Google API. (您必须使用服务帐户来调用该API.)
Hm, if they have a public profile you can pass the number after "accounts.google.com:" to https://developers.google.com/+/web/api/rest/latest/people/get . Unfortunately, you won't be able to authenticate to that API as the user, since IAP doesn't currently provide a way to call let users delegate access to call Google APIs. (You'll have to use a service account to call that API.)
另一种解决方案是,如果IAP提供了一种方法:a)在向Google的OAuth请求中指定其他范围,然后b)将OIDC令牌的其他声明传递给IAP JWT,您将能够配置IAP以请求配置文件"范围.但是,IAP当前仅请求电子邮件"和"openid"范围,并且没有用于指定其他范围的机制.
The other solution would be, if IAP provided a way to a) specify additional scopes in its OAuth request to Google, and if it then b) passed additional claims from the OIDC token into the IAP JWT, you'd be able to configure IAP to request the "profile" scope. However, IAP currently only requests the "email" and "openid" scopes, and doesn't have a mechanism for specifying additional scopes.
-Matthew,Google Cloud IAP工程
-- Matthew, Google Cloud IAP engineering
这篇关于使用可识别云身份的代理替换用于网站的Google登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
