Introduction
Identity Aware Proxy (IAP), using signed headers, provides an authorization layer for your applications. If an application or a resource is protected by IAP, all requests to that application or resource must go through the proxy. Users are subjected to fine grained access controls. Subjecting users to IAM roles allows IAP to setup group-based application access. Overall, IAP is a great way to perform authentication and authorization checks.
Authentication
Resources are accessed through the requests coming from the app engine or cloud load balancer. If IAP is enabled for such resource, information regarding this resource is sent to the IAP authentication server. At this stage, IAP server checks for user’s browsing credentials. If the server do not find any authenticating credentials, the server redirects the user to an OAuth 2.0 login screen. Once the user finish authentication, a browser cookie is placed for future sign-ins.
Authorization
After finishing authentication, IAP applies the relevant IAM policy to check if the user is authorized to access the requested resource. The user needs to have IAP-secured Web App User role for authorization. IAM roles are a great way in further fine grained access levels among users.
Signed Headers
As we have mentioned before, IAP uses signed headers to protect the application. Specifically, IAP uses JSON Web Tokens (JWTs) to make sure a request to the resource is authorized. This JWT token header, x-goog-iap-jwt-assertion, is present in the HTTP request headers and its value is the JWT token. Signed headers provide secondary level security and must be verified. To learn more about JWT token verification. Please check out the official guide
User’s Identity
The application must validate every request by checking the x-goog-iap-jwt-assertion header. Although IAP passes the user’s identity headers, it is recommended to obtain information through the verified JWT token. Please take a look at the official guide mentioned above.
Conclusion
IAP is a great way to add authentication and authorization layers to applications. It allows users to have an uninterrupted experience with the application using header based authentication and authorization.
