|
| 1 | +/** |
| 2 | + * This sample demonstrates how to connect to an application protected by Google |
| 3 | + * Cloud's Identity-Aware Proxy (IAP). |
| 4 | + * @see https://cloud.google.com/iap/docs/authentication-howto |
| 5 | + */ |
| 6 | + |
| 7 | +// A client ID and secret created for this script. It must be in the same Cloud |
| 8 | +// Console project as the IAP-secured application. |
| 9 | +var CLIENT_ID = '...'; |
| 10 | +var CLIENT_SECRET = '...'; |
| 11 | + |
| 12 | +// The OAuth client created automatically when you enabled IAP on your |
| 13 | +// applicaiton. Can be found by clicking "Edit OAuth Client" in the IAP |
| 14 | +// interface. |
| 15 | +var IAP_CLIENT_ID = '...'; |
| 16 | + |
| 17 | +// A URL endpoint for your IAP-secured application. |
| 18 | +var IAP_URL = '...'; |
| 19 | + |
| 20 | +/** |
| 21 | + * Authorizes and makes a request to an endpoint protected by the Cloud |
| 22 | + * Identity-Aware Proxy. |
| 23 | + */ |
| 24 | +function run() { |
| 25 | + var service = getService(); |
| 26 | + if (service.hasAccess()) { |
| 27 | + var response = UrlFetchApp.fetch(IAP_URL, { |
| 28 | + headers: { |
| 29 | + // As per the IAP documentation, use the id_token, not the access_token, |
| 30 | + // to authorize the request. |
| 31 | + Authorization: 'Bearer ' + service.getToken().id_token |
| 32 | + } |
| 33 | + }); |
| 34 | + var result = response.getContentText(); |
| 35 | + Logger.log(JSON.stringify(result, null, 2)); |
| 36 | + } else { |
| 37 | + var authorizationUrl = service.getAuthorizationUrl(); |
| 38 | + Logger.log('Open the following URL and re-run the script: %s', |
| 39 | + authorizationUrl); |
| 40 | + } |
| 41 | +} |
| 42 | + |
| 43 | +/** |
| 44 | + * Reset the authorization state, so that it can be re-tested. |
| 45 | + */ |
| 46 | +function reset() { |
| 47 | + getService().reset(); |
| 48 | +} |
| 49 | + |
| 50 | +/** |
| 51 | + * Configures the service. |
| 52 | + */ |
| 53 | +function getService() { |
| 54 | + return OAuth2.createService('CloudIAP') |
| 55 | + // Set the endpoint URLs. |
| 56 | + .setAuthorizationBaseUrl('https://accounts.google.com/o/oauth2/auth') |
| 57 | + .setTokenUrl('https://www.googleapis.com/oauth2/v4/token') |
| 58 | + |
| 59 | + // Set the client ID and secret. |
| 60 | + .setClientId(CLIENT_ID) |
| 61 | + .setClientSecret(CLIENT_SECRET) |
| 62 | + |
| 63 | + // Set the name of the callback function that should be invoked to |
| 64 | + // complete the OAuth flow. |
| 65 | + .setCallbackFunction('authCallback') |
| 66 | + |
| 67 | + // Set the property store where authorized tokens should be persisted. |
| 68 | + .setPropertyStore(PropertiesService.getUserProperties()) |
| 69 | + |
| 70 | + // Set the scope and additional Google-specific parameters. |
| 71 | + .setScope('openid email') |
| 72 | + .setParam('access_type', 'offline') |
| 73 | + .setParam('approval_prompt', 'force') |
| 74 | + .setParam('login_hint', Session.getActiveUser().getEmail()) |
| 75 | + |
| 76 | + // Modify the token request payload to specify the "audience" parameter, |
| 77 | + // which must be set to the IAP client ID. |
| 78 | + .setTokenPayloadHandler(function(payload) { |
| 79 | + payload.audience = IAP_CLIENT_ID; |
| 80 | + return payload; |
| 81 | + }); |
| 82 | +} |
| 83 | + |
| 84 | +/** |
| 85 | + * Handles the OAuth callback. |
| 86 | + */ |
| 87 | +function authCallback(request) { |
| 88 | + var service = getService(); |
| 89 | + var authorized = service.handleCallback(request); |
| 90 | + if (authorized) { |
| 91 | + return HtmlService.createHtmlOutput('Success!'); |
| 92 | + } else { |
| 93 | + return HtmlService.createHtmlOutput('Denied.'); |
| 94 | + } |
| 95 | +} |
| 96 | + |
| 97 | +/** |
| 98 | + * Logs the redict URI to register in the Google Developers Console. |
| 99 | + */ |
| 100 | +function logRedirectUri() { |
| 101 | + Logger.log(getService().getRedirectUri()); |
| 102 | +} |
0 commit comments