(note: I post the question here in GKE forum, as I haven't found more suitable forum, but the problem is more related to the fronted and IAP than to GKE. However the second question is related to GKE, so I believe it will find correct audience)

Hi,

we have a web app and an endpoint hosted on GKE, both are protected by IAP (more details about the setup is below). From the end-user point of view, both are served on the same subdomain, just different URL paths, so we don't need to address any CORS issues. The javascript in the web app calls the enpoint, fetching some JSON data. All works fine, as far as the IAP sessions are fresh (which are somehow managed via cookies). We noticed that browser stores two sets of IAP related cookies (in each set cookies named like GCP_IAP_UID and __Host-GCP_IAP_AUTH_TOKEN_<xyz>). That is obviously due to the fact that web app and endpoint are running on different backend services, and thus two IAP configs. The refresh of session with web app is automatically managed by browser, so no problem here. But we have troubles to implement session management for the endpoint, as this not open directly by the user in browser, it is rather AJAX request. So we are getting the 401: Unauthorized response, with a payload Invalid GCIP ID token: empty token. We have tried to follow this documentation: https://cloud.google.com/iap/docs/external-identity-sessions#handling_ajax_requests, but it didn't help. We are still forced to open the URL to the endpoint in a new window, only after that the browser retrieves the second set of fresh cookies and the AJAX calls from the web app start to work.

Two questions:

1. is it possible to solve this issue by some more advanced tunning on the frontend or IAP side?
2. if no, I believe the issue could be solved if both, web app and endpoint are served via the same backend services, and thus controlled with the single IAP configuration. However, I have no idea how to achieve that on the cluster, that both components are exposed via single Service. Would be service mesh like istio any help here? (I don't have any experience with that)

Thank you!

Branislav

more details about the setup:

• GKE cluster (autopilot mode) configured with Gateway API (global external Gateway) as described here: https://cloud.google.com/kubernetes-engine/docs/how-to/deploying-gateways#deploy_a_global_external_g...

  • this setup deploys Global Load Balancer, and each k8s Service exposed via HTTPRoute is mapped to individual backend service of that load balancer
  • IAP is configured on each individual backend service (afaik, it cannot be configured on the entire LB)
• IAP is configured with external identities (using GCIP Identity Platform), and using the common sign-in page
  • https://cloud.google.com/iap/docs/enable-external-identities
  • https://cloud.google.com/iap/docs/cloud-run-sign-in
• Web app: react application bundled with nginx server in a docker image, deployed on the cluster as separate Deployment + Service
• Endpoint: python/fastapi application, deployed on the cluster as separate Deployment + Service
• Both services (web app and endpoint) share the same HTTPRoute, so they share the same hostname (subdomain), routing to services is based on the URL path