IAP and endpoints
283 views
Skip to first unread message
jer...@vroom.com
May 28, 2017, 3:12:09 PM5/28/17
to Google Cloud Endpoints
Do y'all have any integration planned with IAP?
I would like to pack custom claims into the JWT like you can with firebase auth.
Let me know if there is an IAP forum I should post this to. I didn't see one.
Dan Ciruli
May 28, 2017, 11:50:50 PM5/28/17
to Jeremy Lorino, Ameet Jani, Google Cloud Endpoints
Hi, Jeremy -
We are definitely considering an integration and evaluating exactly how to do that.
Can you be a bit more specific about what you want? Do you mean that you'd like IAP to be able to evaluate and accept/reject requests based on custom claims in the JWT?
DC
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/5016199f-75cb-4f32-b94b-3a553118ba5e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
DC
Jeremy Lorino
May 29, 2017, 1:51:00 AM5/29/17
to Ameet Jani, Dan Ciruli, Google Cloud Endpoints
Absolutely; let me elaborate.
So it's basically like we talked a while back; fine grained control over access to specific API operations.
I see the flow through IAP where a group, user, service account can be granted access to a specific backend resource. Then a JWT is generated; which can be passed to endpoints to be validated as usual. (via the sub, aud claims)
Some of this can be accomplished through specific urlmaps in the load balancer.
/api/foo -> be-foo (group1 has access)
/api/bar -> be-bar (group2 has access)
Where I ultimately lose it is when I need to control each operation.
GET /api/foo (group1 and group3 has access)
POST /api/foo (only group1 has access)
So how do we go about adding operation specific rules to IAP? Rather than a binary this group has access to the backend or not. This would allow the more control to be defined in IAP.
A config could be added to IAP that would add custom JWT claims. Or the config is simply the openapi.json from endpoints that also configures IAP.
So it's basically like we talked a while back; fine grained control over access to specific API operations.
I see the flow through IAP where a group, user, service account can be granted access to a specific backend resource. Then a JWT is generated; which can be passed to endpoints to be validated as usual. (via the sub, aud claims)
Some of this can be accomplished through specific urlmaps in the load balancer.
/api/foo -> be-foo (group1 has access)
/api/bar -> be-bar (group2 has access)
Where I ultimately lose it is when I need to control each operation.
GET /api/foo (group1 and group3 has access)
POST /api/foo (only group1 has access)
So how do we go about adding operation specific rules to IAP? Rather than a binary this group has access to the backend or not. This would allow the more control to be defined in IAP.
A config could be added to IAP that would add custom JWT claims. Or the config is simply the openapi.json from endpoints that also configures IAP.
GET /api/foo -> 'list:foo'
POST /api/foo -> 'create:foo'
POST /api/foo -> 'create:foo'
groups=[list:foo, create:foo]
Then either IAP could enforce this or each API could evaluate the JWT further.
On Sun, May 28, 2017 at 10:50 PM Dan Ciruli <cir...@google.com> wrote:
Hi, Jeremy -We are definitely considering an integration and evaluating exactly how to do that.Can you be a bit more specific about what you want? Do you mean that you'd like IAP to be able to evaluate and accept/reject requests based on custom claims in the JWT?DCOn Sun, May 28, 2017 at 12:12 PM, <jer...@vroom.com> wrote:
Do y'all have any integration planned with IAP?
I would like to pack custom claims into the JWT like you can with firebase auth.
Let me know if there is an IAP forum I should post this to. I didn't see one.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/5016199f-75cb-4f32-b94b-3a553118ba5e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--DC
--
- google is watching
Reply all
Reply to author
Forward
0 new messages