This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

IAP Custom Claim Updates and Token Refresh Delay

Posted on 03-29-2025 12:42 AM
brano
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Problem:

We use Identity-Aware Proxy (IAP) with Identity Platform for external identity management. Our backend relies on custom claims set via the Identity Platform Admin SDK for access control. When these claims are updated (e.g., via event-driven workflows), we need IAP to reflect these changes in the X-Goog-Iap-Jwt-Assertion token immediately.

Current Approach:

Appending ?gcp-iap-mode=CLEAR_LOGIN_COOKIE to the URL refreshes the IAP authentication cookie (the one that is sent from browser in cookie header), but the JWT assertion token injected by IAP does not update immediately.

Observed Behavior:

  • The token update delay varies, typically ranging from a few seconds to approximately one minute.
  • This delay impacts backend services that depend on the updated custom claims for immediate access control decisions.

Questions:

  • Is this delay in X-Goog-Iap-Jwt-Assertion token updates expected behavior? Maybe a caching mechanism in the proxy?
  • Are there alternative methods or best practices to ensure faster or immediate propagation of custom claim updates to the IAP token?
  • Any insight into the mechanism of the token update and the reason for the delay would be very helpful.

@msanci 

0 0 151
Topic Labels
0 Likes
0 REPLIES 0