My goal is to make some apps (frontend + backend) private only in GCP. To do this I plan to use Identity Aware Proxy and allow only people from @example.com domain. I've checked documentation and tutorials but I still cannot figure out if is its possible to authenticate standard frontend app with backend API protected by GCP IAP.
My ideal scenario would be like this:
example.com- frontend js app, running in browser, protected by IAP, doing requests to backendapi.example.com- backend API also protected by IAP (different GCP project)
When going into example.com I get a redirect to Google auth. After providing valid credentials I'm redirected back to example.com and now I can see and use frontend app. This app will then make requests to api.example.com that should also be authenticated.
Is this even possible? Would I not get 401 error or auth redirect response from backend service?
Another scenario that could work for me:
example.com- frontend js app, running in browser, publicly available, making requests to bckendapi.example.com- backend API protected by IAP (different GCP project)
Can I somehow detect that backend is IAP protected and redirect to auth page but go back to example.com after google authentication?
When doing curl to IAP protected backend I only get 302 response with google auth url
$ curl -i https://example.com
HTTP/2 302
set-cookie: GCP_IAP_XSRF_NONCE_XXXX=1; expires=Thu, 15-Feb-2024 12:22:44 GMT; path=/; Secure; HttpOnly
location: https://accounts.google.com/o/oauth2/v2/auth?client_id=....
x-goog-iap-generated-response: true
date: Thu, 15 Feb 2024 12:12:44 GMT
content-type: text/html
server: Google Frontend
content-length: 36
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Invalid IAP credentials: empty token
In theory I could check x-goog-iap-generated-response header but how do I force IAP and google to redirect me to frontend app domain instaed of api.example.com after authentication with google?
Thank you
// EDIT
To clarify my problem is not how to send auth token to backend. My problem is how to obtain this token when there is frontend & backen app and at least backend is IAP protected. When doing request to backend without auth token I get 302 and redirect url to authorization page on google. After I submit proper credentials I'm redirected to original page and then I can use this page (because auth cookies are set I think). But problem is tat I want to be redirected to frontend app domain after backend authentication and then I want to be able to do authorized requests to backend from now on.
Is this possible? How can I achieve this?