2

I am trying to access Google APP engine which is secured using Google Cloud IAP(Identity Aware Proxy). I am able to access the resource using postman as well as any backend service like (Node or Python) by using the identity token. But as soon as I try to access it from browser using the same identity token, I get a 401 unauthorized error.

I am getting the identity token by following this article: https://engineering.q42.nl/google-identity-aware-proxy/

var xhr = new XMLHttpRequest();
            xhr.withCredentials = true;

            xhr.addEventListener("readystatechange", function() {
                if (this.readyState === 4) {
                    console.log(this.responseText);
                }
            });

            xhr.open("GET", "<appengine_url>", true);
            xhr.setRequestHeader("Accept", "text/html,*/*");
            xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
            xhr.setRequestHeader("Authorization", "Bearer <identity_token>");

            xhr.send(data);

Error message: OPTIONS my_url 401

Access to XMLHttpRequest at my_url from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource

Sanket Tantia
  • 59
  • 5
  • Related question: https://stackoverflow.com/questions/53163761/enable-cors-with-google-iap I see the same problem, too. But the suggested solution doesn't work with Cloud IAP I guess. I can't find any setting to let IAP add these headers or to pass CORS preflighted requests (`OPTIONS`). Did you find a solution? – Ani Oct 30 '19 at 11:03
  • 1
    No, I have not find a solution yet. – Sanket Tantia Nov 13 '19 at 07:35
  • Good news: Cloud IAP supports CORS preflight requests. They added it a week ago or so. – Ani Nov 20 '19 at 17:09

0 Answers0