I have a similar issue as this question (but with a key difference - I'm hitting my own API): 405 when authenticating using Google Auth, Angular 4, ASP.Net Core 2 <https://stackoverflow.com/questions/46133149/405-when-authenticating-using-google-auth-angular-4-asp-net-core-2>
I am using Identity Aware Proxy (IAP) to authenticate users in my enterprise domain to our custom app deployed on App Engine flexible environment, written in Node.js. The app is serving assets and maintaining a RESTful API using express, and is authorizing requests using signed headers as suggested by the IAP docs <https://cloud.google.com/iap/docs/signed-headers-howto>. IAP is functioning as intended with regards to limiting users to the application, but the problem comes when attempting to make AJAX calls to my own RESTful API. When I attempt to do this, the HTTP request responds with a 302 redirect, redirects to the Google oauth2 endpoint ( https://accounts.google.com/o/oauth2/v2/auth?client_id=[...]), and then fails with the following error: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://<my_project>.appspot.com' is therefore not allowed access. The response had HTTP status code 405. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. The AJAX in question is a POST method request, but in the Network tab of dev tools I also see a mimicked request to the same endpoint as a GET request (same headers, just with payload stripped off), and then the OPTIONS request to the OAuth endpoint (where the error is generated as OAuth doesn't handle OPTIONS preflight requests). [image: enter image description here] <https://i.stack.imgur.com/8KMyK.png> I have followed the IAP and App Engine docs to the letter, so I suspect I am missing something on my implementation side that is implied by the docs and I overlooked. Do I need to handle AJAX authentication differently? Why is it being sent to the OAuth endpoint? Is this related to my CORS configuration? I have tried clearing cache, different devices/browsers, various CORS configurations using cors <https://github.com/expressjs/cors>. It makes sense to me why the request is failing, but I do not understand why the request is being made in the first place. I understand the CORS limitations, but I am not sending requests to a Google service (directly), rather I am sending to my own RESTful API (albeit, hosted on Google services and behind IAP). If the user is already authenticated to get into my app and past IAP, it seems to me that the AJAX requests should be authenticated as well? https://stackoverflow.com/questions/50221155/app-engine-identity-aware-proxy-ajax-requests-failing-with-http-code-405 -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/dcaa537a-eb94-482b-8471-980383153c32%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
