Deploying web services behind Identity-Aware Proxy (IAP) can prevent unauthorized access to your APIs. This guide details how to authenticate requests originating from your users in Android or iOS client applications to an IAP-secured backend.
Summary
- Enable IAP on the backend service
- Use Google Sign-In to obtain an OIDC token for the user, scoped to the backend's OAuth Client ID
- Pass the user's OIDC token as a Bearer token in the Authorization header of HTTP requests to the backend
Backend Service
First, enable IAP on your a backend web service. The details of how to do this vary by compute technology, so follow Google's documentation for enabling IAP on your chosen platform.
As part of the IAP configuration, you will have created an OAuth Client ID for Web Applications. Make note of this Client ID, you will need it when signing in from your app(s).
Android
To connect to your backend service from an Android app, first create an OAuth Client ID for Android. This will require the Package Name and the SHA-1 Fingerprint of you app's signing certificate or debug key.
Use the Google Sign-In library to prompt the user for their Google account credentials. In the GoogleSignInOptions builder, request the user's email and ID token, passing the Client ID of the backend service as the serverClientId (i.e. NOT the Client ID for Android).
GoogleSignInOptions options = GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN) .requestEmail() .requestIdToken("{BACKEND_OAUTH_CLIENT_ID}") .build(); GoogleSignInClient client = GoogleSignIn.getClient(this, options);
Intent signInIntent = client.getSignInIntent();
startActivityForResult(signInIntent, RC_SIGN_IN);
In the result handler for the Google Sign-In activity, retrieve the OIDC token from the getIdToken() method on the GoogleSignInAccount object.
@Override
public void onActivityResult(int requestCode, int resultCode, Intent data) {
super.onActivityResult(requestCode, resultCode, data);
if (requestCode == RC_SIGN_IN) {
try {
Task<GoogleSignInAccount> task = GoogleSignIn.getSignedInAccountFromIntent(data); GoogleSignInAccount account = completedTask.getResult(ApiException.class);
String token = account.getIdToken();
// check token is not null
} catch (ApiException e) {
// handle error
}
}
}
iOS
To connect to your backend service from an iOS app, first create an OAuth Client ID for iOS. This will require the Bundle ID and optional App Store ID and Team ID.
Download the plist file for the Client ID, open it in a text editor, and locate the REVERSED_CLIENT_ID property. Copy this value.
In Xcode, open the project configuration and select your app from the TARGETS list. Navigate to the Info tab and expand the URL Types section. Click the + button to add a new type and paste the REVERSED_CLIENT_ID value from the plist file into the URL Schemes field.
Use the Google Sign-In library to prompt the user for their Google account. In the GIDConfiguration initializer, set clientID to the Client ID for iOS and set serverClientID to the Client ID of the backend service. In the sign in callback, retrieve the OIDC token from the idToken property of the user authentication object.
let config = GIDConfiguration.init(
clientID: "{IOS_OAUTH_CLIENT_ID}",
serverClientID: "{BACKEND_OAUTH_CLIENT_ID}"
)
GIDSignIn.sharedInstance.signIn(with:config, presenting:self) { user, error in
// check if user is nil or error is not nil
user.authentication.do {authentication, error in
let token = authentication.idToken
// check that token is not nil
}
}
HTTP Requests
Pass the OIDC token obtained from Google Sign-In as a Bearer token in the Authorization header of all HTTP requests to your backend service.
Authorization: Bearer {OIDC_TOKEN}
References
Setting Up OAuth in Google Cloud Console
IAP Programmatic Authentication from a Mobile App
Get Started with Google Sign-In - Android
Get Started with Google Sign-In - iOS
Related
Securing Remote Access with Google Cloud Identity-Aware Proxy (IAP)
Comments
0 comments
Article is closed for comments.