使用承载头针对IAP保护的资源进行身份验证吗? [英] Authenticating Against an IAP Protected Resource with Bearer Header?

问题描述

是否可以使用Authorization: Bearer …标头通过身份识别代理向受保护的应用程序发出请求? (当然，使用服务帐户.从GCP外部.)

Is it possible to use an Authorization: Bearer … header to make a request through Identity Aware Proxy to my protected application? (Using a service account, of course. From outside GCP.)

我想不执行OIDC令牌交换，是否受此支持?

I would like to not perform the OIDC token exchange, is this supported?

如果是这样，有人有任何例子吗?

If so, does anyone have any examples?

到目前为止，我有以下内容，但不起作用:

So far, I have the following but it doesn't work:

iat = time.time()
exp = iat + 3600
payload = {'iss': account['client_email'],
           'sub': account['client_email'],
           'aud': '/projects/NNNNN/apps/XXXXXXX',
           'iat': iat,
           'exp': exp}
additional_headers = {'kid': account['private_key']}
signed_jwt = jwt.encode(payload, account['private_key'], headers=additional_headers,
                       algorithm='RS256')

signed_jwt = signed_jwt.decode('utf-8')

这将产生:Invalid IAP credentials: JWT signature is invalid.

推荐答案

当前不支持此功能. IAP期望Google帐户基础结构使用其私钥生成签名，因此这就是签名检查失败的原因.您能否告诉我更多有关为什么要避免OIDC令牌交换的信息? --Matthew，Google IAP工程

this is not currently supported. IAP is expecting a signature generated by the Google accounts infrastructure using its private key, so that's why the signature check is failing. Could you tell me more about why you'd like to avoid the OIDC token exchange? --Matthew, Google IAP Engineering

这篇关于使用承载头针对IAP保护的资源进行身份验证吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！