Cookie或标头发送自己的API以防止Google Cloud Identity Aware Proxy(IAP)302? [英] Cookie or header to send own API to prevent Google Cloud Identity Aware Proxy (IAP) 302?
问题描述
我已经在开发环境中设置了Cloud IAP(与Kubernetes合作并使用Let's Encrypt)并且一切正常。
设置对于这个非常基本1)一个 API
,其中包含大量REST端点和一个持久数据存储,在项目中
< A
<2> SPA 前端应用程序利用 API
,在另一个项目中 B
在我的浏览器(试过Chrome和Firefox)我的Google用户在两个应用程序中通过IAP屏幕(通过转到浏览器选项卡中的每个域),但是一旦我尝试使用 SPA
和 em>尝试请求到 API
,我看到网络请求302重定向到Google IAP登录页面。
问题:
是否需要代表用户通过 API
请求发送标头或Cookie IAP允许传递?
注意
我看到这两个cookie btw GCP_IAAP_AUTH_TOKEN
和 GCP_IAAP_XSRF_NONCE
。
?如果是SPA,IAP应该正常工作。如果是API,您今天的最佳选择是使用 https://cloud.google.com / iap / docs / authentication-howto 将SPA认证为API,并且可能还会将其传递给 https://cloud.google.com/iap/docs/signed-headers-howto ,以便API可以单独验证最终用户的凭证。
将SPA中的GCP_IAAP_AUTH_TOKEN传递给API将不起作用,出于安全原因,在将请求传递给最终用户应用程序之前,我们会将其删除(如果负载平衡器与应用程序之间的传输为HTTP ,只是为了让攻击者的生活更轻松。)
I have setup Cloud IAP on a development environment (spun up with Kubernetes and using Let's Encrypt) and everything is working fine.
The setup is pretty basic for this app:
1) An API
that has a number of REST endpoints and a persistent data store, in project A
2) A SPA
front end app that utilizes said API
, in a different project B
In my browser (tried Chrome and Firefox), I can authenticate my Google user in both apps via the IAP screen (by going to each domain in a browser tab), but once I try to use the SPA
and it attempts requests to the API
, I see the network requests 302 redirect to the Google IAP sign-in page.
Question:
Is there a header or cookie that needs to be sent over via the API
requests on behalf of the user so that IAP allows pass-thru?
Note
I see these two cookies btw GCP_IAAP_AUTH_TOKEN
and GCP_IAAP_XSRF_NONCE
.
What's protected with IAP, "API" or "SPA"? If it's SPA, IAP should work as normal. If it's API, your best option today is to use https://cloud.google.com/iap/docs/authentication-howto to have SPA authenticate to API, and maybe also have it pass down https://cloud.google.com/iap/docs/signed-headers-howto so that API can separately verify the end-user's credentials.
Passing down GCP_IAAP_AUTH_TOKEN from SPA to API won't work, we strip that before passing the request to the end-user application for security reasons (in case the transport between the load balancer and the application is HTTP, just to make life a little harder for an attacker.)
这篇关于Cookie或标头发送自己的API以防止Google Cloud Identity Aware Proxy(IAP)302?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!