This article shows you how to programmatically access a resource protected by Identity-Aware Proxy (IAP) using external identities.
There are several situations where you might want to do this:
-
Your frontend application leverages Identity Platform directly. Your backend API server is built using App Engine, and protected by IAP using external identities.
-
Your application is designed for use in a non-traditional browser environment, such as on Android, iOS, or the command-line, where using a browser redirect to authenticate users is infeasible.
Accessing resources
To access a resource programmatically using a service account JWT, see Authenticating with a service account JWT .
To access a resource programmatically using an ID token, follow these steps:
-
Retrieve the user's ID token.
Node.js
Ensure the user is signed in. The code below shows a simple example of signing in a user with an email and password:
// If signing in using project-level email/password IdP. // auth.tenantId = null; // This is null by default. // For signing in to a specific tenant using email/password. auth . tenantId = 'myTenantId' ; auth . signInWithEmailAndPassword ( email , password ) . then (( user ) = > { // User signed in. ID token can now be retrieved. }) . catch (( error ) = > { // Handler error. });You can then retrieve an ID token on the
userobject:user . getIdToken () . then (( idToken ) = > { // idToken is now available and can be sent to API server. }) . catch (( error ) = > { // Handler error. });REST
Calling
signInWithPasswordreturns an ID token in the response:curl 'https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key= API-KEY ' \ -H 'Content-Type: application/json' \ --data-binary '{ "email":" EMAIL ", "password":" PASSWORD ", "returnSecureToken":true, "tenantId":" TENANT-ID " # Only used in multi-tenancy }'
-
Include the ID token in the authorization header when calling an endpoint protected by IAP.
curl -H "Authorization: Bearer GCIP-ID-TOKEN " "https://example.appspot.com/api"
