For the record, the solution to my issue was what I initially suspected: the IAP authorization process does in fact allow AJAX requests to access other IAP protected resources (e.g. my backend API in this example). The issue was related to the `fetch()` method on the front end client, which by default does not send cookies with the HTTP requests. You must pass `credentials: 'include'` in the options to fetch.
https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch > By default, fetch won't send or receive any cookies from the server, > resulting in unauthenticated requests if the site relies on maintaining a > user session (to send cookies, the credentials init option must be set). > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/10779e3e-dd12-45cb-8de3-3cac8ba84b25%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
