This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

IAP proxy Error (Firebase --> proxy --> app engine with IAP)

Posted 3 weeks ago
harshhb
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am trying to create a proxy server using cloud function between frontend and backend deployed over single gcp project. I have enabled IAP for backend and deployed the frontend using google cloud firebase but frontend is not able to communicate with the backend. I am getting Invalid IAP credentials and empty token as well. I have provided the proxy cloud function below. I would appreciate any hint or advice for how to move forward

Screenshot from 2025-04-16 15-05-53.png

 

 

import functions_framework
import requests
import google.auth
import google.auth.transport.requests
from google.auth.transport.requests import Request
from google.oauth2 import id_token

BACKEND_URL = "https://fintom8converter-dev3.ey.r.appspot.com"
#CLIENT_ID = "978295342010-ve74u8cqs4napi37l62f4lerg0ke2dus.apps.googleusercontent.com"
CLIENT_ID = "978295342010-j8gkmnm7538jjoa7t2lq9g8onkbmhktq.apps.googleusercontent.com"

def get_iap_token():
    # Get credentials
    creds, project = google.auth.default()
    
    # Make sure credentials are valid
    auth_req = google.auth.transport.requests.Request()
    creds.refresh(auth_req)
    
    # Get ID token for IAP
    token = id_token.fetch_id_token(Request(), CLIENT_ID)
    return token

@functions_framework.http
def proxyFunction(request):
    try:
        token = get_iap_token()
        resp = requests.get(BACKEND_URL, headers={"Authorization": f"Bearer {token}"})
        return (resp.content, resp.status_code, resp.headers.items())
    except Exception as e:
        return (f"Error: {str(e)}", 500)​

 

0 1 43
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
a_aleinikov
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

 

Hi @harshhb !
The problem might be that your Cloud Function is using default credentials, which aren't tied to a user identity and can't generate an IAP-signed token easily. You need to use a service account with the IAP-secured Web App User role and create an ID token targeted at your backend URL, not just the client ID.
Also, in fetch_id_token, you should pass the backend URL instead of the client ID. Try updating:

 
en = id_token.fetch_id_token(Request(), BACKEND_URL)

Hope this helps you move forward!

0 Likes
Top Labels in this Space
Top Solution Authors
View all