Get user's email in google cloud run application

DanielleChason · 12-14-2023 05:35 AM

I have an application which runs on a service in google cloud run.
I use Identity-Aware Proxy (IAP) to ensure that only specific users can login to the app.
I want that part of the application will only be visible to some of the users, and in order to do that I want to know who is the user that is currently trying to run something with the application.
How can I do that?

I tried to do:

credentials = service_account.Credentials.from_service_account_file(
file,
scopes=[
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/userinfo.profile",
],
)
auth_req = google.auth.transport.requests.Request()
credentials.refresh(auth_req)
token = credentials.token
headers = {
"Authorization": f"Bearer {token}",
"Content-Type": "application/json",
}
url = "https://www.googleapis.com/oauth2/v3/userinfo"
response = py_requests.get(url=url, headers=headers).json()

The problem is that I'm sending the request to the wrong place (i.e not using the right file).

From what I understand, I want to send a request to the IAP and ask for the user email.

Thank you!

NoCommandLine

According to Google documentation, IAP sends user's email in the header,

X-Goog-Authenticated-User-Email

So you could have a process where

1) User tries to load your home page and IAP makes them sign in before redirecting them back to your home page.

2) The code for loading your home page pulls the email from the above header and you can store it somewhere (in session, memory, etc)

3) When user tries to access another page, you check the email you stored in bullet 2 and decide whether to grant them access or not

......NoCommandLine ......

https://nocommandline.com

Analytics & GUI for
App Engine & Datastore Emulator