I have a backend service, which I don't want to be expose, and also, just the employees that uses Gsuite oAuth should access.
Instead of exposing the backend and add the logic of oauth in it, I looked at the vouch-proxy project, which fits me very well (a proxy that redirects unauthenticated traffic to oauth login page and then, when a valid token is passed, it's redirect to the backend.
Before using this vouch proxy, do GCP has something built-in for it? Or another kind of setup that my backend service is not exposed?
Google Cloud provides the Identity-Aware Proxy (IAP) that would precisely fit your needs since it's integrating well with G Suite domain and can sit in front of your Load-Balancer.
Related
is it possible to handle authentication (using a JWT) with Google's Load balancer?. I know it uses Envoy proxy under the hood to handle advance traffic management. But is it just that?, I know Envoy has native implementations to validate JWT (using HTTP filters), does this GCP LB version can use that?.
If thats not the case, do you know any GCP service that can manage this type of logic+LB? (besides Google's Api Gateway)
We cannot use JWT Auth to GCP Load balancer. However you might want to explore IAP for this concern.
Let me also share with you the overview of IAP for further understanding.
You can check this link on how to enable IAP on external load balancer under backend service. Also note that there are possibilities of changes depending on what resource you are using.
I have a Google CloudRun Service, that is can be accessed either by the CloudRun URL or by a custom domain via a Load Balancer in the Google Cloud.
Now I am trying to setup some kind of access control, so that the Service which run the Development Stage can only be accessed by logged-in developers.
So far I tried to set the Trigger Configuration of the CloudRun Service to authentication required. That works for the base CloudRun URL, but on adding a path to the base URL I get a Forbidden error, even if I could access the base URL. And Accessing the Service via the LoadBalancer always gives a Forbidden.
Is there a way to make the CloudRun Service Accessible (including different Paths) only to LoggedIn Developers?
And also is there a way to make the Service only accessible by the LoadBalancer URL and not the CloudRun URL?
Once you require authentication, all requests need to include a token authorized to access the service via any endpoint. You can check out more information here: https://cloud.google.com/run/docs/authenticating/developers
There's also a tool in the gcloud CLI for Cloud Run to make this process easier. If you try gcloud beta run services proxy [your-service], the service will be proxied to localhost, with your identity token included by default.
For restricting access only via the Load Balancing URL, There's an ingress setting (also settable under the 'triggers' tab). This can be set to 'internal and cloud load balancing'.
You can find more info here: https://cloud.google.com/run/docs/securing/ingress
"Authentication required" for a Cloud Run service really means "Token required". It checks that the right token is attached to the request, but it's up to you how to add that token. Because of that I think it's mostly useful for machine-to-machine communication. It doesn't provide a log-in user interface or client-side code that attaches tokens to users' requests.
If you do want that, Identity Aware Proxy can provide it.
I am trying to set up Google Integration in my self-hosted Nextcloud instance. For this I need a Google Cloud API Web application OAUTH Client ID and Secret, along with the preset Authorized redirect URI from my Nextcloud instance. I can easily create the ID and Secret for the Web app. But, if I put the Authorized redirect URI in the Google Cloud OAUTH page, it tells me "Save failed: The request has been classified as abusive and was not allowed to proceed".
For context, the Domain provided is a Google Domain which I am using with a Cloudflare proxied DNS. Google verification TXT record have been added to Cloudflare. I am self-hosting the Nextcloud instance with a subdomain of this domain behind an Nginx Proxy Manager with a Cloudflare SSL certificate. To add, all of these are running as docker containers on Ubuntu. Additionally I have also verified the Redirect URI as Safe from: https://global.sitesafety.trendmicro.com/result.php
Even then, apart from that specific URI, I have tried URI of other services I am self-hosting as well as the parent domain. All of these are giving the same message from the GCP OAUTH screen.
Kindly help me out with this considering I am fairly a novice.
I have setup Cloud IAP on a development environment (spun up with Kubernetes and using Let's Encrypt) and everything is working fine.
The setup is pretty basic for this app:
1) An API that has a number of REST endpoints and a persistent data store, in project A
2) A SPA front end app that utilizes said API, in a different project B
In my browser (tried Chrome and Firefox), I can authenticate my Google user in both apps via the IAP screen (by going to each domain in a browser tab), but once I try to use the SPA and it attempts requests to the API, I see the network requests 302 redirect to the Google IAP sign-in page.
Question:
Is there a header or cookie that needs to be sent over via the API requests on behalf of the user so that IAP allows pass-thru?
Note
I see these two cookies btw GCP_IAAP_AUTH_TOKEN and GCP_IAAP_XSRF_NONCE.
What's protected with IAP, "API" or "SPA"? If it's SPA, IAP should work as normal. If it's API, your best option today is to use https://cloud.google.com/iap/docs/authentication-howto to have SPA authenticate to API, and maybe also have it pass down https://cloud.google.com/iap/docs/signed-headers-howto so that API can separately verify the end-user's credentials.
Passing down GCP_IAAP_AUTH_TOKEN from SPA to API won't work, we strip that before passing the request to the end-user application for security reasons (in case the transport between the load balancer and the application is HTTP, just to make life a little harder for an attacker.)
Can someone help me with my understanding?
So i understand how one can use ADFS and SAML to provide SSO access to the Console via IAM. However im not as clear how this can be done at the application level
So take MS Dynamics as an example. It will be on an EC2 instance which is on a domain controller hosted in the VPC (for mgt etc). However the users themselves will be in an on-prem AD server and we'd want to authenticate users accessing the dynamics web front end with that on-prem AD server. Is this as simple as setting up ADFS between the two sites and configuring the app itself to use ADFS / SAML for claims based authentication?
For application level support, it depends on the ability of the app to support claims based/SAML authentication. CRM supports ADFS configuration. You have one of 2 choices
You can hook it up directly to your on-premises ADFS if it is really about just providing access to your corporate employees. If it requires partner access that ADFS can still federate to other ADFS/IDP organizations.
You can set one up in AWS next to or on the DC that it has and treat it as a Federation Provider and then set up trust to the corporate ADFS where the users live.
I'd recommend #1 as it is simpler. Go with #2 only if you are operating this as a different company or you are building multiple server apps in this AWS site that require local ADFS for things like server to server communication.
Thanks
//Sam