Parth,
Good questions. I've answered them inline below.
Thanks,
--Mike
On Friday, September 7, 2018 at 12:24:10 PM UTC-7, Parth Mishra wrote:
>
> Follow up: what's the difference between this and say, Cloud Endpoints
> authentication via OpenAPI?
>
Endpoints:
- Pros:
- Can do Google or non-Google auth (e.g. Firebase Auth, or any other
OIDC JWT)
- Can do per-path authentication
- Cons:
- Doesn't provide login/logout URLs for web apps (e.g. won't initiate
3LO OAuth flow, refresh tokens)
- Not integrated with Cloud IAM for authorization (e.g. can't grant a
single user access)
- Not a fully managed system (deployed with your GAE app)
- Doesn't work with Gen 2 runtimes
IAP
- Pros:
- Designed to handle 2LO and 3LO flows (will handle token refresh for
web apps)
- Integrated with Cloud IAM
- Works with GAE Gen 1 and 2
- Cons:
- Whole app only (no per-path auth yet)
- Google Auth only
- Somewhat annoying way to generate tokens (though compute metadata
<https://cloud.google.com/compute/docs/instances/verifying-instance-identity#request_signature>
makes this easier)
Probably missing some things, but that's the gist :)
>
> On Tuesday, September 4, 2018 at 7:54:40 PM UTC-4, Parth Mishra wrote:
>>
>>
>> I was wondering what the status of Cloud Identity Aware Proxy integration
>> with the second gen runtimes (specifically Python 3.7). I would like to
>> authenticate a Service Account to invoke my application from an on-premise
>> server and it seems like IAP is good method for doing this (in addition to
>> restricting firewall).
>>
>
I just tried it and it works.
>
>> However, the documentation doesn't make it clear what approach to take to
>> integrate since it requires Users API for standard environment (which isn't
>> supported by Python 3.7). Do I need to use either first-gen Standard or
>> switch to Flexible?
>>
>
Instead of using the user's service, you'll have to grab the headers
<https://cloud.google.com/iap/docs/signed-headers-howto> which have the
userID and email (or the full JWT). Note that the IAP site claims this
doesn't work for Standard, but it does for Gen 2.
Here's my example:
https://gist.github.com/mcdonamp/366e05d86ec9c48108719a5a9b37eeda
--
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to google-appengine+unsubscr...@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit
https://groups.google.com/d/msgid/google-appengine/94cfb473-ce73-4fe7-880b-e5c447b07496%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
