Menu
Is it necessary to validate signed headers from IAP in the AppEngine Standard Python 3.7 runtime?
The IAP documentation is silent on specifics for the Python 3.7 runtime.
The IAP documentation says:
The Users API is not available for Standard 3.7. Signed headers are. Validating the headers is possible.
I can see that AppEngine environment adds some headers. I'm wondering if the X-Appengine- values can be implicitly trusted (ie, does AppEngine attach these after validating the headers from IAP)?
X-Appengine-User-Id: <user id>
X-Appengine-Auth-Domain: <domain>
X-Appengine-User-Email: <user email>
...
X-Goog-Iap-Jwt-Assertion: <assertion>
X-Goog-Authenticated-User-Email: accounts.google.com:<user email>
X-Goog-Authenticated-User-Id: accounts.google.com:<user id>
790
Signed headers provide secondary security in case someone bypasses IAP. Note that when IAP is turned on, it strips the x-goog-* headers provided by the client when the request goes through the IAP serving infrastructure.
Identity-Aware Proxy (IAP) is a Google Cloud Platform service that intercepts web requests sent to your application, authenticates the user making the request using the Google Identity Service, and only lets the requests through if they come from a user you authorize.
Identity-Aware Proxy (IAP) allows you to manage access to HTTP-based apps outside of Google Cloud. This includes apps on-premises in your enterprise's data centers. To learn how to secure on-premises apps with IAP, see Setting up IAP for on-premises apps.
ISPs make it possible for customers to access the internet while also providing additional services such as email, domain registration and web hosting. ISPs may also provide different internet connection types, such as cable and fiber. Connections can also come in the form of high-speed broadband or non-broadband.
From App Engine-specific headers:
For
login:adminorlogin:requiredhandlers specified inapp.yaml, App Engine also provides the following set of headers:
X-AppEngine-User-Email, with example header: "[email protected]"X-AppEngine-Auth-Domain,with example header: "example.com"X-AppEngine-User-ID, with example header: "100979712376541954724"
So they can be trusted not to come from outside GAE. But I'm unsure how they relate to the IAP infra.
Since the Users API isn't supported I'd follow the advice for the flexible environment which, from this perspective, seems closer to the Python3 runtime - I'd validate the signed headers.
183
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
