Using nested authentication with Google IAP

Question

I deployed a 3rd party webapp which uses basic authentication for access on Google Cloud Run. I additionally wanted to protect the endpoint by allowing only Google-authenticated users of the organization access. Both these methods use the Authorization header of the request and I cannot get it to work.

I tried following this post, providing both credentials in one field. My reasoning was, that GCP should select the strongest credential mechanism it supports - bearer - and leave the basic credentials for the webap. I have no idea if the webapp could have dealt with it because Google's reverse proxy already barred my access.

curl "-HAuthorization: bearer ${bearer_token}, basic ${base64_userpw}" https://my-google-endpoint.com

-> 401 Unauthorized

I also tried Proxy-Authorization with no different result. curl "-HProxy-Authorization: bearer ${bearer_token}" "-HAuthorization: basic ${base64_userpw}" https://my-google-endpoint.com

Is there a way to get nested authentication to work with Google's reverse proxy? I was able to get past the reversed proxy by only supplying the bearer but naturally hit the wall at the service. With deactivated authentication on proxy side I was able to authenticate with the service using the basic credentials.

P.S.: I am not using a browser to access the webapp but command line tools.

Answer 1

You cannot mix Authorization mechanisms with IAP. Everything after the bearer keyword is considered the token string.

One solution is to change your Basic Authorization HTTP header from using Authorization to a custom HTTP header. Something like X-MyApp-Authorization. Then your app processes the custom header to handle the Basic Authorization mechanism.

[Update 2021-08-17]

My original answer is partially wrong. Google's solution is currently broken.

Cloud Run is behind Google Cloud IAP. The client making a request can use two HTTP Authorization headers:

• Authorization: <application authorization token>
• Proxy-Authorization: Bearer <IDENTITY_TOKEN>

If a valid ID token is found in a Proxy-Authorization header, IAP authorizes the request with it. After authorizing the request, IAP passes the Authorization header to your application without processing the content.

Authenticating from Proxy-Authorization Header

This means the OP was on the right track using the Proxy-Authorization header. However, this feature does not work.

Create an Identity Token:

Use curl to verify that the token works with a Cloud Run endpoint that requires the Invoker role:

curl -H "Authorization: Bearer $TOKEN" $endpoint

That works. Now try the Proxy-Authorization header:

curl -H "Proxy-Authorization: Bearer $TOKEN" $endpoint

That fails with a 403.

Now try both headers:

curl -H "Proxy-Authorization: Bearer $TOKEN" -H "Authorization: Bearer $ANOTHER_TOKEN" $endpoint

That fails with 401 "The access token could not be verified"

gcloud auth print-identity-token

I am using documented methods to use two authorization headers, but this feature does not work.

The PHP SDK did not have the proxy-authorization header support added until June 25, 2021. I created a test application from Google's example. That also failed with the same errors.

June 25, 2021 Patch

Answer 2

Does it happen to work if you send two Authorization headers, like curl -H "Authorization: bearer foo" -H "Authorization: basic bar" ?

--Matthew, Google Cloud IAP engineering