IAP Signed Headers & AppEngine Standard Python 3.7 Runtime

About

Asked 6/9, 2018 at 14:4 Answered 7/9, 2018 at 1:43

google-app-engine google-app-engine-python google-iap

Is it necessary to validate signed headers from IAP in the AppEngine Standard Python 3.7 runtime?

The IAP documentation is silent on specifics for the Python 3.7 runtime.

The IAP documentation says:

AppEngine Standard should use the Users API
validation is required to secure applications in AppEngine Flex

The Users API is not available for Standard 3.7. Signed headers are. Validating the headers is possible.

I can see that AppEngine environment adds some headers. I'm wondering if the X-Appengine- values can be implicitly trusted (ie, does AppEngine attach these after validating the headers from IAP)?

X-Appengine-User-Id: <user id>
X-Appengine-Auth-Domain: <domain>
X-Appengine-User-Email: <user email>
...
X-Goog-Iap-Jwt-Assertion: <assertion>
X-Goog-Authenticated-User-Email: accounts.google.com:<user email> 
X-Goog-Authenticated-User-Id: accounts.google.com:<user id>

Raneeraney answered 6/9, 2018 at 14:4 Comment(0)

From App Engine-specific headers:

For login:admin or login:required handlers specified in app.yaml, App Engine also provides the following set of headers:

X-AppEngine-User-Email, with example header: "[email protected]"

X-AppEngine-Auth-Domain,with example header: "example.com"

X-AppEngine-User-ID, with example header: "100979712376541954724"

So they can be trusted not to come from outside GAE. But I'm unsure how they relate to the IAP infra.

Since the Users API isn't supported I'd follow the advice for the flexible environment which, from this perspective, seems closer to the Python3 runtime - I'd validate the signed headers.

Witkin answered 7/9, 2018 at 1:43 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags