It feels like there's a missing link here, but I've followed the IAP docs to the letter for setting up IAP authentication in my app and I'm stilling running into issues, so here we go..
I have a Node.js application deployed in the App Engine flexible environment. It serves some basic content using handlebars and services a RESTful API using express. Everything client side appears to work as it does on my local dev system (pages load, IAP authentication works as intended allowing only the whitelisted users). The server side verifies the JWT provided by IAP utilizing signed headers. The problem comes in when I POST (via fetch) to my server in App Engine. The request gets 302 redirected to a Google oauth URL which then consequently fails with HTTP code 405 because of the preflight method OPTIONS not being supported by the oauth endpoint. I'm also seeing a duplicate request sent to my API endpoint that is duplicated except the method is GET and the payload is stripped, which also returns code 302 (this is part of the preflight I imagine) Why is my request to my own server being redirected to an oauth endpoint? This is never mentioned in the docs. Do I need to handle this case, or is there CORS configurations that I need to account for? The entire error method I see is here: Failed to load https://accounts.google.com/o/oauth2/v2/auth?<headers>: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://<my_project>.appspot.com' is therefore not allowed access. The response had HTTP status code 405. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. Any help would be appreciated... -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/16afd956-5055-449f-9133-7ba0c0d2e039%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
