That does not seem like the same thing to me. I'd be expecting the authenticated user's credentials as part of the JWT identity, not the service account. It is the user's actions on the application triggered the API calls after all. To get this I would need to implement an implicit OAuth flow if I understand this correctly. Can I utilize the already obtained token from IAP OAuth to authenticate AJAX requests on behalf of the user?
On Wednesday, May 9, 2018 at 9:20:44 AM UTC-5, Jordan (Cloud Platform Support) wrote: > > The claim set > <https://developers.google.com/identity/protocols/OAuth2ServiceAccount#authorizingrequests> > (found > under the 'HTTP/REST' tab) of the Service Account JWT is identical to that > of the claim set required by Cloud IAP Signed Headers > <https://cloud.google.com/iap/docs/signed-headers-howto#securing_iap_headers>; > the > only difference being ' email' is 'iss' for the service account email > address. > > So once you decode the JWT, if you are missing the 'email' claim you know > it is a program making a request via a service account, and to check the > 'iss' claim for the service account email. > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/13cd69a7-e8cc-4668-9845-a370d8ab02c3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
