Skip to content

Add a sample for Google Cloud Identity-Aware Proxy #142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 7, 2018
Merged

Add a sample for Google Cloud Identity-Aware Proxy #142

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Add a sample for Google Cloud Identity-Aware Proxy
  • Loading branch information
Eric Koleda committed Sep 6, 2018
commit a3f14e66cf9863c0b03e56c3a0b5580e843b8f6e
102 changes: 102 additions & 0 deletions samples/CloudIdentityAwareProxy.gs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
/**
* This sample demonstrates how to connect to an application protected by Google
* Cloud's Identity-Aware Proxy (IAP).
* @see https://cloud.google.com/iap/docs/authentication-howto
*/

// A client ID and secret created for this script. It must be in the same Cloud
// Console project as the IAP-secured application.
var CLIENT_ID = '...';
var CLIENT_SECRET = '...';

// The OAuth client created automatically when you enabled IAP on your
// applicaiton. Can be found by clicking "Edit OAuth Client" in the IAP
// interface.
var IAP_CLIENT_ID = '...';

// A URL endpoint for your IAP-secured application.
var IAP_URL = '...';

/**
* Authorizes and makes a request to an endpoint protected by the Cloud
* Identity-Aware Proxy.
*/
function run() {
var service = getService();
if (service.hasAccess()) {
var response = UrlFetchApp.fetch(IAP_URL, {
headers: {
// As per the IAP documentation, use the id_token, not the access_token,
// to authorize the request.
Authorization: 'Bearer ' + service.getToken().id_token
}
});
var result = response.getContentText();
Logger.log(JSON.stringify(result, null, 2));
} else {
var authorizationUrl = service.getAuthorizationUrl();
Logger.log('Open the following URL and re-run the script: %s',
authorizationUrl);
}
}

/**
* Reset the authorization state, so that it can be re-tested.
*/
function reset() {
getService().reset();
}

/**
* Configures the service.
*/
function getService() {
return OAuth2.createService('CloudIAP')
// Set the endpoint URLs.
.setAuthorizationBaseUrl('https://accounts.google.com/o/oauth2/auth')
.setTokenUrl('https://www.googleapis.com/oauth2/v4/token')

// Set the client ID and secret.
.setClientId(CLIENT_ID)
.setClientSecret(CLIENT_SECRET)

// Set the name of the callback function that should be invoked to
// complete the OAuth flow.
.setCallbackFunction('authCallback')

// Set the property store where authorized tokens should be persisted.
.setPropertyStore(PropertiesService.getUserProperties())

// Set the scope and additional Google-specific parameters.
.setScope('openid email')
.setParam('access_type', 'offline')
.setParam('approval_prompt', 'force')
.setParam('login_hint', Session.getActiveUser().getEmail())

// Modify the token request payload to specify the "audience" parameter,
// which must be set to the IAP client ID.
.setTokenPayloadHandler(function(payload) {
payload.audience = IAP_CLIENT_ID;
return payload;
});
}

/**
* Handles the OAuth callback.
*/
function authCallback(request) {
var service = getService();
var authorized = service.handleCallback(request);
if (authorized) {
return HtmlService.createHtmlOutput('Success!');
} else {
return HtmlService.createHtmlOutput('Denied.');
}
}

/**
* Logs the redict URI to register in the Google Developers Console.
*/
function logRedirectUri() {
Logger.log(getService().getRedirectUri());
}