Identity Aware Proxy(IAP) in GCP - google-app-engine

I was learning about IAP in GCP, which is used for authentication and authorization to GCP hosted apps.
Thoughts
Even before IAP was introduced in GCP, users could be authenticated and authorized using login credentials and google IAM policies.
Okay, IAP replaces VPN, users can work from untrusted networks.
Query
Please correct me if i am thinking wrong.
But if my app./resource is hosted in GCP, than it is accessible publicly with proper authentication and authorization, there is obviously no need of VPN. In this scenario, what is the significance of IAP.
What is the new thing in IAP, as IAP also does the same thing for authentication and authorization?

You wouldn't technically need IAP if you've already got an app which is secured with proper authentication and authorization, though it still may be desirable. One reason is that IAP gives you the ability to configure individual access outside of your application, rather than needing to control ACLs internally in your app's code. The App Engine IAP quickstart has a good overview of how IAP config works for securing an app.
You can think of IAP as filling the role of a VPN while also giving you the flexibility of OAuth. It is mainly targeted towards perimeter security which is traditionally accomplished by using firewalls and VPNs to secure privileged network resources like intranets which are hosted on premises. IAP allows you to set up a cloud-hosted intranet in much the same way as you'd do on-premises, with access control handled at the perimeter by IAP. This is explained very well in the Google research paper "BeyondCorp - A New Approach to Enterprise Security".

Related

React SPA with oidc-client and client secret

I'm building a React SPA on top of a ASP.NET Core API and I want to authenticate with OIDC. Grant type is authorization code and the client does have a client secret.
Since we will be using a client secret, the authorization step that involves the secret has to go through a proxy that we control.
Is this doable in a React SPA with oidc-client?
If the secret is in the client, it's not a secret. :)
Secrets are for server-server authentication, because the secret is secure on a server (we hope so, anyway) and the API granting access has a whitelist of consumers it's granted access to use the secret.
For a SPA, if you're talking about allowing an app to use an API, I believe you're limited to using a CORS whitelist. If you're talking about a user accessing the API via the client, then you're looking at access codes and usernames/password.
PROBLEM
You have a blocking issue with the authentication system, or with usability or getting security to an acceptable level. In your case there is no PKCE support.
PROXYING SOLUTION
Use oidc-client which will add PKCE parameters and your SPA security supports the latest standards.
The client secret will come into play during the authorization code grant and refresh token grant messages.
Messages can be adapted server side to remove PKCE and use a client secret instead. It is quite a complex solution though and not everyone will like it.
It requires a SameSite cookie issued by the web domain. In my case I used an AWS lambda edge function that runs within a CloudFront content delivery network.
WHY DO IT THIS WAY?
In order to fit into an SPA architecture and meet wider goals in areas such as usability, coding model, mobile integration and global web performance. Depends if you feel it is worth the effort.
LINKS
Architecture Goals
Design Pattern
Code Sample you can run
Online AWS SPA
Proxying details

User authentication with Servlets on App Engine

I'm new to web dev, and trying to build an application using google app engine's java standard environment, which will require user authentication. I'd like to provide authentication which requires only a username and password of the user, as opposed to a phone number or social account.
As I look through the options listed in app engine's auth tutorial, if I'm understanding them correctly, none of them allow login without a phone number or social account? https://cloud.google.com/appengine/docs/standard/java/oauth/
If so, are there alternatives available while still using app engine? I've read some about 'web container managed authentication' but I'm not sure if its something app engine will support, or if its a full solution.
Is it possible/feasible to roll fully custom authentication in the app engine standard environment? As I search for custom authentication tutorials I see a lot of articles recommending against this, but it's not clear to me what the alternative is.
Thanks for any information
As it's mention on the OpenID Connect documents of Google Cloud, it's important for you and your users security to authenticate using well proven and debugged code. Google offers Firebase Authentication which let's users log in with an Email and password.
If you still want to implement the authorize part on your own, you can use your preferred web framework and probably it will have an authorizing process.
For example, in python you can use Django authorize system to provide users for a custom way to log in.
But, as I said before, I highly recommend you to use the Google APIs for authorizing as they are OpenID certificated.

Google Cloud Endpoints oauth

I am new to cloud programming and will be making a GAE app with Cloud Endpoints.
I would like to use Oauth, but for Microsoft accounts as well as Google accounts.
I am having a hard time finding a definitive answer in the docs. I have read posts that are 3-4 years old stating that Cloud Endpoints only supports Oauth with Google accounts, but is this still the case?
You can go to Choosing an Authentication Method. There is a section titled Auth0 which states:
Auth0 authenticates and authorizes apps and APIs regardless of
identity provider, platform, stack and device.
Auth0 supports a large number of providers and the Security Assertion
Markup Language specification. It provides backend services, SDKs and
user interface libraries for authenticating users in web and mobile
apps......
.....
This might be what you need. Hope this helps

Limiting App Engine Flex to internal access only without App Engine Firewall?

Let's say I'm deploying a GAE Flex app and I want to restrict access to be only internal. Since GAE Flex is just a wrapper on GCE, according to the documentation, in the app.yaml file I can specify a VPC under name which will launch the instance into the specified VPC.
If the VPC is set up to only allow internal access, do I need to do any additional configuration of App Engine firewall rules to ensure this consistency?
More broadly speaking, what does the App Engine Firewall do differently than a VPC's Firewall rules? Does App Engine Firewall override the firewall rules set by a VPC?
With regards to your broader question about the difference between the two, you should bear in mind that VPCs allow for a wider variety of approaches to configuring your internal access, including not just firewall rules and routes but also network tags. The App Engine firewall permits only configuration of an ordered list of rules that can allow or deny access from the specified IP address or ranges.
Both will need to be configured correctly in order to control access and ensure that your application can send and receive traffic in the desired way.
I would encourage you to checkout Cloud Identity-Aware Proxy. It's a free service from GCP.
Cloud IAP lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls.
When an application or resource is protected by Cloud IAP, it can only be accessed through the proxy by members, also known as users, who have the correct Cloud Identity and Access Management (Cloud IAM) role.
When you grant a user access to an application or resource by Cloud IAP, they're subject to the fine-grained access controls implemented by the product in use without requiring a VPN. When a user tries to access a Cloud IAP-secured resource, Cloud IAP performs authentication and authorization checks.
https://cloud.google.com/iap/

Cloud Apps and Single Sign-On (AD integration)

I've been investigating some cloud vendors and the ability to implement single sign-on with them, especially when it comes to AD (Active Directory) integration.
So far I've learned that with Azure this is possible through ADFS and the AppFabric Access Control offer.
In AWS, since it is possible to create a VPN and see EC2 instances as a natural extension of a private datacenter, I believe implementing SSO would be rather simple (not sure if I'm right on this one... Please correct me if I'm wrong).
With App Engine though, even though there is some documentation on AD synchronization (not full integration) for Google Apps, I'm struggling to find out whether AD integration would be possible... Is there any strategy for that?
Any bit of information on cloud apps and AD integration will be appreciated!
App engine apps can only call out to other services using HTTP or HTTPS, so you could not directly query an AD server. Of course, I'm sure you could build a simple HTTP/LDAP bridge if one does not already exist.
UPDATE: oops, I forgot about SDC,or Secure Data Connector. It is not exactly a HTTP/LDAP bridge, but can provide a bridge between your intranet and your Google App Engine app.
You typicially don't need communication between the application (in this case running in GAE) and AD.
You would, instead, get a security token from and STS (ADFS) and then send the token to the app that is would be configured to accept and trust those tokens.
I'm not familiar w/ GAE but assuming it accepts SAML tokens and understands WS-Federation, you can achieve SSO without ever exposing AD or synchronizing any information between AD and GAE (using ADFS for example)
This is a classic identity federation scenario.

Resources