We are trying to secure a GKE service using IAP with Workforce Identity Federation. Everything is working, but it is unclear if I am able to configure it so that additional claims from the IdP are passed into the TokenPayload after validating the `x-goog-iap-jwt-assertion` header. We have done the attribute mapping at the provider. We are attempting to get the authenticated user's `given_name`, `family_name`, and `groups` claims/attributes. Previously, we were using IAP with Identity Platform, and those claims were passed through in the token at `gcip.firebase.sign_in_attributes`.
Does anybody know if this is possible?
Hopefully I'm missing something but it seems that the attribute propagation is only available for SAML, not OIDC. Any guidance is appreciated!
After a couple days of troubleshooting, I've determined this isn't possible. IAP with Workforce Identity uses OAuth2 token exchange and there are no config options to either include claims from the IdP's ID token or pass the IdP ID token as well (like OAuth2 Proxy allows) to the upstream app. The only claim I was seemingly able to alter via attribute mapping was the `google.email`. I briefly considered using CEL to shove all the info I care about (given_name, family_name, email, groups) into that claim...
Also, there is seemingly no way to silently refresh the session beyond how long it's configured at the Pool level. The google page that handles the identity federation is inaccessible via iframe.
Both of these features would be quite useful.