GCIP/IAP - Ext Provider integration - Authorization Code grant with PKCE

[Terrance R]

Hello, 

We have a Single Page Application (SPA) using angular hosted on App Engine and protected by IAP/GCIP with external provider (OIDC based)

We like to use Authorization Code grant flow with PKCE to protect our SPA. Is this recommended flow for SPA when using IAP/GCIP with external provider?

How can application decode JWT Identity Token during IAP/GCIP authentication flow?

Thanks

[Manpreet Sidhu (Google Cloud Support)]

Hello,

I understand that you have a single page application in Angular that you want to protect with an external identity provider that is OIDC based.

From this source[1], “OIDC is a thin identity layer for authentication and Single Sign-On that rides on top of OAuth 2.0...OIDC is a thin layer on top of OAuth 2.0 that introduces a new type of token: the Identity Token. Encoded within these cryptographically signed tokens in JWT format, is information about the authenticated user. ”

You would like to know if this method is recommended. I have found an opinion in the same

document that goes into detail to share his opinion, which is “Why You Should Never Use the

Implicit Flow Again.” There are many use cases. There are some deciding to go this route,

others not. Although I do not have a strong opinion myself, a quick search is the best way to

start.

You’ve asked that you want to know how your application can decode a JWT Identity Token

during an IAP/GCIP authentication flow. I think this is more of a technical implementation meant for Stackoverflow[2] but if you post your logic in words, what you’ve done so far, I think you may benefit from this forum.

I hope I’ve touched on your points.

[1] https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce

[2] https://stackoverflow.com/

[Terrance R]

Thank You Manpreet.  I have been playing with GCIP for sometime, but not to final state yet.

I realized yest that GCIP configuration for OIDC based integration is not asking for Client Secret and realized that the OIDC flow initiated by IAP/GCIP is using response_type=id_token; this would be an implicit flow and not authorization code flow.

In simple terms, key components in my solution are 1) gae hosting static assets protected by iap/gcip and 2) apis exposed by apigee on gcp (proxying the provider of rest api hosted on-premises). Apigee would need the access token from the auth flow, which will be introspected by Auth provider, besides verifying api-key.

Since GCIP/OIDC flow is not initiating authorization code flow, I will not be getting access token from the auth provider.

In original query, I was more curious to decode JWT (i am aware of std libraries to decode token and if that suffices) but now, since access token is not available as part of the response, just wondering if GCIP would provide the required in our solution.

Is there a way we can initiate auth code flow from GCIP external provider configuration? 

Thanks

[Digil Kottiyattil Anand]

I am not sure whether this discussion thread in stackoverflow.com is helpful for your use case scenario or not. By looking at the suggestion provided over there, it seems like it could be an expected behavior. 

That's being said, if you think it would be something that can be implemented in the Identity Platform as a new feature, feel free to use the issue-tracker to report it as feature request.

[Terrance R]

The thread in stackoverflow was created by me. Just need to see how to enable where to provide the json fragment / how to use it

[Ruben Moa]

Hello,

Did you have a look into this documentation [1]? For what I am understanding this is what you need in order to access a IAP-secured app.

Have a nice day!

[1] - https://cloud.google.com/iap/docs/authentication-howto#signing_in_to_the_application