Hey
I configured IAP on a backend service and set up a Desktop OAuth client for IAP. I used https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_a_desktop_app to authenticate to IAP and connect to my backend service. I've been able to do it in all envs except for 1. For this env, when I run cmd:

curl --verbose -H "Proxy-Authorization: Bearer $ID_TOKEN" -H "Authorization: Token $SERVICE_API_TOKEN" <URL>

where $ID_TOKEN is received from following steps here and $SERVICE_API_TOKEN is specific to the service
Error received:

Invalid IAP credentials: empty token

I've confirmed that OAuth config (image) for IAP points to the Desktop OAuth client created both in console and terraform state checking both client ID and secret matching. FYI this is how we set up IAP using "GoogleCloudPlatform/lb-http/google " terraform module:

iap_config = {
enable = true
oauth2_client_id = var.desktop_client_id
oauth2_client_secret = data.google_secret_manager_secret_version_access.desktop_client_secret.secret_data
}

Also the same workflow works in all other envs.
If i do:

curl --verbose --header 'Authorization: Bearer ID_TOKEN' URL

I get:

Invalid IAP credentials: Invalid bearer token. Audience doesn't match the allowlisted oauth clients for this application.

If i try this solution where IAP_OAUTH_ID is the original client that was created when we first set up IAP on the project, I get error:

Invalid IAP credentials: Invalid bearer token. Authorized Party doesn't match the allowlisted oauth clients for this application.

I've also tried destroying and reactuating infra to confriming in tf state. Would love to hear some suggestions.
Thanks