This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Cannot authenticate to IAP when using Desktop OAuth client

Posted on 05-15-2025 07:37 PM
rrajvanshi1947
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hey
I configured IAP on a backend service and set up a Desktop OAuth client for IAP. I used https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_a_desktop_app to authenticate to IAP and connect to my backend service. I've been able to do it in all envs except for 1. For this env, when I run cmd:

 

curl --verbose -H "Proxy-Authorization: Bearer $ID_TOKEN" -H "Authorization: Token $SERVICE_API_TOKEN" <URL>

 

where $ID_TOKEN is received from following steps here and $SERVICE_API_TOKEN is specific to the service
Error received:

 

Invalid IAP credentials: empty token

 

I've confirmed that OAuth config (image) for IAP points to the Desktop OAuth client created both in console and terraform state checking both client ID and secret matching. FYI this is how we set up IAP using "GoogleCloudPlatform/lb-http/google " terraform module:

 

iap_config = {
enable = true
oauth2_client_id = var.desktop_client_id
oauth2_client_secret = data.google_secret_manager_secret_version_access.desktop_client_secret.secret_data
}

 

rrajvanshi1947_0-1747362246332.png

Also the same workflow works in all other envs.
If i do:

 

curl --verbose --header 'Authorization: Bearer ID_TOKEN' URL

 

I get:

 

Invalid IAP credentials: Invalid bearer token. Audience doesn't match the allowlisted oauth clients for this application.

 

If i try this solution where IAP_OAUTH_ID is the original client that was created when we first set up IAP on the project, I get error:

 

Invalid IAP credentials: Invalid bearer token. Authorized Party doesn't match the allowlisted oauth clients for this application.

 

I've also tried destroying and reactuating infra to confriming in tf state. Would love to hear some suggestions.
Thanks

0 2 662
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
kensan
Staff
Reply posted on --/--/---- --:-- AM

Hi @rrajvanshi1947 ,

Welcome to Google Cloud Community

The error message 'Invalid IAP credentials: empty token' from Identity-Aware Proxy (IAP) indicates that IAP did not receive a valid identity token (ID token) to authenticate the incoming request. The specific HTTP response code you receive can differ based on the HTTP method used:

  • HTTP 302 Found (for GET requests): If you make an HTTP GET request to an IAP-protected resource without a valid ID token (or with an empty one), IAP will often respond with a 302 redirect. This redirect typically points to Google's OAuth endpoint (e.g., oauth.googleapis.com). This behavior is designed to guide a user agent, like a web browser, through the standard OAuth 2.0 login flow to obtain the necessary credentials. For a programmatic client like curl, this means IAP tried to initiate a browser-based authentication because it didn't find the token it needed directly in the request.
  • HTTP 401 Unauthorized (for POST requests): If you make an HTTP POST request (or other non-GET requests like PUT, DELETE) with an invalid or empty ID token, IAP will usually respond with a 401 Unauthorized error. This directly signals that the authentication attempt failed due to missing or incorrect credentials.

In both scenarios, the core issue is the same: IAP cannot verify the request's identity because a suitable ID token was not provided. When sending HTTP GET/POST requests, make sure the correct Authorization header is added when making the request.

When troubleshooting OAuth authorization, it's crucial to verify that the JWT ID token contains an email attribute. Tools like jwt.io can help you inspect the token's payload. Specifically, if you're generating an ID token by impersonating a service account with gcloud auth print-identity-token, remember that the service account's email isn't included automatically. To add it, you must use the --include-email flag in your gcloud command.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

0 Likes

Posted on --/--/---- --:-- AM
rrajvanshi1947
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hey @kensan 

Thanks for getting back to me.

@kensan wrote:

When troubleshooting OAuth authorization, it's crucial to verify that the JWT ID token contains an email attribute. Tools like jwt.io can help you inspect the token's payload.

Yea we checked this and the token has the expected details like user's email and audience as the Desktop OAuth client. We're not sure why IAP is not able to validate it and shows empty token error.
Also we use Proxy-Authorization header as the application uses an Authorization header and it has worked as expected in other envs.
Can there be some other GCP resource which might be interfering with IAP authentication? I checked if we Cloud armor is enabled but it is in preview mode in this env so shouldn't be affecting IAP authentication.

0 Likes
Top Solution Authors
View all