Zero Trust in Enterprise for your access controls
This blog was co-written by Max Saltonstall and Jen Person
Today we’re cooking up a new recipe: using a third-party identity provider to control access to your cloud application.
You might already have an authoritative source of identity, either cloud-based or on-prem, and still want to take advantage of BeyondCorp Remote Access. Keep reading to see how you can apply Zero Trust methods of working to a cloud app with Identity-Aware Proxy and external identity providers.
You can use BeyondCorp with any identity provider and any back-end
We’re using App Engine and Facebook for today’s example, but any back-end and identity source will work similarly. If you’re curious about how to use Identity-Aware Proxy and the fundamentals of BeyondCorp, read about those in these posts.
If you already have an identity provider, cloud-based or on-prem, and want to take advantage of BeyondCorp Remote Access and the Zero Trust way of working, dive in, because today we’re covering how to secure App Engine (or any cloud app) with Identity-Aware Proxy (IAP) using external identity providers. If you’re just joining us, you can see how we used IAP to control access with Google Identity in our last post.
The Ingredients
In order to get cooking you’ll want to make sure you have the right ingredients from the start. For today’s example, we’re using:
We’ve included links to the documentation for all of these products so that you don’t have to read us yammering on about them for five pages. Let’s get to the good stuff!
Start by getting all your ingredients together: app, hosting, identity and proxy
The Architecture
Here’s our basic structure, showing how requests proceed from your employees all the way to the back-end application.
To access the App Engine app, the client is directed to a login page hosted on Firebase Hosting. The page uses FirebaseUI to display a Facebook login button and handle login results. Identity Platform authenticates credentials on the backend. Let’s elaborate on how this works.
- Get authentication credentials from the user. This can be the user’s email address and password, a SAML assertion, or an OAuth token from a federated identity provider.
- In the case of federated identity providers like Facebook, the providers return those tokens to Identity Platform’s authentication handler on the
/__auth/handlerendpoint. This service is hosted by Google, so you don’t have to receive and validate the authentication artifact. - After the tokens are received, Google Cloud’s backend services will verify them and return a response to the client.
- Once the client’s identity is verified, Cloud IAP will allow the client to access the app.
Access to your application depends on identity verification, and authorization
The Sample
Just like your favorite cooking show, we have a sample cooked up and ready to present! Our sample code includes these ingredients:
- An App Engine app that reads a JSON Web Token provided by the client and displays information about that user.
- A login page that we will deploy to Firebase Hosting
- A sample using React. We won’t be using this today, but feel free to explore it!
With these components, an authenticated user will be directed to the login page. Once logged in, Identity-Aware Proxy will verify if the user is authorized to access the App Engine app. If so, the client is served the app. If not, the client sees a Permission Denied page. We’ve kept the sample as generic as possible so you can add the flavors your particular app needs.
This recipe uses App Engine, JSON Web Tokens, Firebase Hosting and React
There are a few additional steps to take so you can see this sample in action. Let’s walk through them.
1. Create the App Engine app
Create a new project or start with an existing one. Then create an App Engine app.
2. Install the Firebase CLI
You’ll need the Firebase CLI for deploying to Firebase Hosting. You can download it using npm.
npm install -g firebase-tools3. Enable the APIs
Enable the Identity Platform and Identity-Aware Proxy APIs via the Cloud Console.
With these preparation steps out of the way, we’re ready to get the code.
4. Get the Code
The sample code is available on GitHub, so go ahead clone it.
git clone https://github.com/GoogleCloudPlatform/iap-gcip-web-toolkit.gitChange to the directory of the App Engine app.
cd iap-gcip-web-toolkit/sample/appRun npm install to install the required packages.
npm installNow the app is ready to deploy. Run this command to deploy:
npm run deployIf you open the package.json file, you can see what this command actually does.
// package.json"deploy": "gcloud app deploy",
That’s right, all it does is run gcloud app deploy. So you can also use this command directly if you prefer.
We start with a minimal oatmeal app: not that impressive, but achieves the basics
Think of this app like oatmeal: it gets the job done, it’s mildly disappointing on its own, but it’s a great stepping stone as you learn more techniques as a chef.
You’ll see the URL for the deployed app once the deploy finishes. You can follow this link now, but you’ll notice that you get back a permission error. That’s exactly what we want since we haven’t configured the proxy yet! We don’t want any other cooks messing with this cake’s batter until it’s good and ready, so we’ll keep them all out.
It doesn’t do much, but it keeps people out. All of them!
It’s just like the kitchen at a fancy restaurant: you’re only allowed in if you have the right credentials. So let’s create a way to check for ID at the door, so we can make sure only the right sous-chefs can mess with our vichyssoise!
5. Host the login page
Whenever you go to one of our apps behind IAP, the first step is to check your identity. Just like a bouncer at the exclusive club, you need to prove yourself before you’re allowed through the door. If you are not authenticated, we need to get your credentials, to see if you are allowed to access the app in question. To see if you can get into this specific club.
Using Cloud Identity this brings up a Google authentication page, already made and ready for us to use. But if we choose to use another identity provider, then we need a solution for gathering credentials when our requester is not logged in yet. Below we’ll make that page with Firebase Hosting, and luckily for us, the code we need is already in the sample repo.
You can make your own login page or use Google’s
Start by entering the directory containing the code for the login screen.
cd ../authui-firebaseuiThere are some packages we’ll need, so go ahead and run npm install.
npm installWe need to add Firebase to our Cloud project. You can do so with this command:
firebase use project-idThen, just like the App Engine sample, we run this command:
npm run deployBut unlike the App Engine sample, instead of running `gcloud app deploy`, this command deploys your login page to Firebase Hosting using the Firebase CLI.
// package.json"deploy": "firebase deploy",
6. Enable Facebook Identity
Let’s take Facebook as our external identity provider for today’s example, as a way for people to log in to our app without Google account credentials. To start using Facebook
as an identity provider, head to the Facebook developer page and create an app. You will need the App ID and secret for your GCP project. If you want more details on using Facebook for your applications check out the instructions outlined in the Manage access with external identities quickstart.
Give your users flexibility with external identity support
7. Add Facebook as a Google Cloud identity provider
To configure Identity Platform to use Facebook for authentication from the Cloud Console, go to Tools, Identity Platform, and then click Add a Provider.
Select Facebook from the list of providers,
then enter the App ID and App Secret you got from your Facebook app. Finally, click Save.
8. Configure a redirect URI
If someone completes their login via Facebook, where do they go next? We need to tell Facebook, our identity provider and source of authentication credentials, so it knows which URI to redirect to after completing login. Head back to Facebook’s Apps page and select your app. In the left menu, click Products. Locate the Facebook Login product, and click Set Up. In the left navigation menu, select Settings, and then in the Valid OAuth Redirect URIs box, enter the redirect URI. This URI has the following format:
https://project-id.firebaseapp.com/__/auth/handlerYou can also find this URI in the Identity Platform provider configuration page. Remember to click Save Changes! Now you’ve finished setting up Identity Platform! With our metaphorical cake baked and cooled, it’s time to add the frosting: configuring IAP to use it for authorization.
Yummy!
9. Enable IAP for external identities
We know who is coming in the door of our restaurant, now let’s make sure only the right people can come to the kitchen. In our last post, we showed you how to enable IAP for App Engine using Google Authentication. The process of implementing IAP with external identities is similar, but there are a couple more steps to connect IAP to the Identity Platform authentication we just configured.
Identity Platform allows you to choose from any number of authentication options
First, you’ll need to enable IAP. If you’re not sure how, then check out the post or this quickstart on enabling IAP for access control.
From the IAP page, in the side panel, under Use external identities for authorization, click Start.
In the Authentication URL field, enter the URL of the authentication app you deployed to Firebase Hosting. It should look something like https://<project-id>.firebaseapp.com/. Check the box with your project name. It will have Facebook listed as an identity provider since we enabled it earlier. Click Save and you’re good to go!
Putting it all together
We have now implemented all the ingredients of this recipe, so let’s throw it in the oven and try it out! Start in a new incognito window to make sure you experience the full flow.
Open the URL for your App Engine app. You’ll be redirected to the login page that uses FirebaseUI as the frontend and Identity Platform on the backend to authenticate with Facebook.
We have a full start-to-finish authentication flow!
Once you’re logged in, you’ll see your app! Commence fireworks celebrations
What’s next?
We’ve just deployed an app to Google Cloud using Facebook as the identity to authorize people to view the app. Now you can learn about the many ways Identity Platform allows authentication, so you can make sure you only give access to the right people at the right time. Or, try out implementing the provider your company requires. And make sure you always know who is getting in.
