在Google IAP中使用嵌套身份验证 [英] Using nested authentication with Google IAP
问题描述
我部署了一个第三方Web应用程序,该应用程序使用基本身份验证来访问 Google Cloud Run .我还想通过仅允许经过Google身份验证的组织用户访问权限来保护端点.这两种方法都使用请求的 Authorization 标头,但我无法使其正常工作.
I deployed a 3rd party webapp which uses basic authentication for access on Google Cloud Run. I additionally wanted to protect the endpoint by allowing only Google-authenticated users of the organization access. Both these methods use the Authorization header of the request and I cannot get it to work.
我尝试了以下这篇帖子,在一个字段中提供了两个凭据.我的理由是,GCP应该选择它支持的最强大的凭据机制-承载-并为webap保留基本凭据.我不知道该webapp是否可以处理它,因为Google的反向代理已经禁止了我的访问.
I tried following this post, providing both credentials in one field. My reasoning was, that GCP should select the strongest credential mechanism it supports - bearer - and leave the basic credentials for the webap. I have no idea if the webapp could have dealt with it because Google's reverse proxy already barred my access.
curl "-HAuthorization: bearer ${bearer_token}, basic ${base64_userpw}" https://my-google-endpoint.com
-> 401未经授权
我也尝试了 Proxy-Authorization ,没有不同的结果.curl"-HProxy-Authorization:承载$ {bearer_token}""-HAuthorization:基本$ {base64_userpw}" https://my-google-endpoint.com
I also tried Proxy-Authorization with no different result.
curl "-HProxy-Authorization: bearer ${bearer_token}" "-HAuthorization: basic ${base64_userpw}" https://my-google-endpoint.com
有没有一种方法可以使嵌套身份验证与Google的反向代理一起使用?我仅通过提供承载就可以克服反向代理的问题,但是自然会在服务中碰壁.通过在代理端禁用身份验证,我可以使用基本凭据对服务进行身份验证.
Is there a way to get nested authentication to work with Google's reverse proxy? I was able to get past the reversed proxy by only supplying the bearer but naturally hit the wall at the service. With deactivated authentication on proxy side I was able to authenticate with the service using the basic credentials.
P.S .:我不是使用浏览器来访问webapp,而是使用命令行工具.
P.S.: I am not using a browser to access the webapp but command line tools.
推荐答案
您不能将授权机制与IAP混合使用. bearer 关键字之后的所有内容均视为令牌字符串.
You cannot mix Authorization mechanisms with IAP. Everything after the bearer keyword is considered the token string.
一种解决方案是将您的基本授权HTTP标头从使用 Authorization 更改为自定义HTTP标头.类似于 X-MyApp-Authorization .然后,您的应用将处理自定义标头,以处理基本授权机制.
One solution is to change your Basic Authorization HTTP header from using Authorization to a custom HTTP header. Something like X-MyApp-Authorization. Then your app processes the custom header to handle the Basic Authorization mechanism.
这篇关于在Google IAP中使用嵌套身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
