Enabling IAP on a backend service does not automatically create a Google-managed OAuth Client [396060193]

Assigned

Bug

Status Update

No update yet.

Description

ha...@doit.com

created issue #1

Feb 12, 2025 01:59PM

Problem you have encountered:

Google has announced [1] that the IAP OAuth Admin API will be deprecated and shut down in July 2025. Many customers are currently managing their IAP activations via Terraform or scripts and using the API to create the OAuth client to pass to the compute engine API when creating / updating their backend service [2]. While it is true that enabling IAP via the Cloud Console automatically creates an OAuth client ID, this is not true when enabling it via the API, which also affects gcloud [3], which is explicitly referenced in the guide that Google links to from the transition guide [4] and Terraform [5]. It is worth mentioning that the compute engine API does accept empty values for oauth2ClientId but this is no effect and will result in an unusable configuration.

What you expected to happen:

Activating IAP on a backend service via the Compute Engine API automatically creates an appropriate OAuth Client and sets it for the backend service.

Steps to reproduce:

Enable IAP on a backend service with the command that is supplied by the documentation [6]:

gcloud compute backend-services update BACKEND_SERVICE_NAME --global --iap=enabled

resource "google_compute_backend_service" "default" {
  name                  = "BACKEND_SERVICE_NAME"
  protocol              = "HTTP"
  load_balancing_scheme = "EXTERNAL"
  iap {
    enabled = true
  }
}

The result will be that IAP is activated but in an unusable state because no OAuth client was created and set on the backend service.

When doing the same via the Cloud Console, the OAuth client will be created and IAP is usable.

Other information (workarounds you have tried, documentation consulted, etc):

I understand that creating the OAuth client requires separate permissions and the UI workflow is able to authenticate the user and make use of additional scopes, while this may prove difficult via the Compute Engine API. Still, deprecating the IAP OAuth Admin API without providing this functionality will break existing workflows for customers, is confusing (because the API accepts empty values) and contradicts with the documentation.

[1] https://cloud.google.com/iap/docs/deprecations/migrate-oauth-client
[2] https://cloud.google.com/compute/docs/reference/rest/v1/backendServices/update#:~:text=connection%20draining.-,iap,-object
[3] https://cloud.google.com/sdk/gcloud/reference/compute/backend-services/update#--iap
[4] https://cloud.google.com/iap/docs/enabling-compute-howto#gcloud
[5] https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_backend_service#enabled-3
[6] https://cloud.google.com/iap/docs/enabling-compute-howto#enable_on_a_backend_service

Comments

ba...@google.com <ba...@google.com> Feb 13, 2025 04:00AM

Assigned to ka...@google.com.

ka...@google.com <ka...@google.com> #2Feb 13, 2025 05:29AM

Reassigned to gc...@google.com.

Digging around a bit, it appears WebKit itself doesn't handle authentication at all.
Instead, it would appear on Android that the package org.apache.http.auth does this.

Issue 396060193

Description

Issue summary

Comments

ba...@google.com <ba...@google.com> Feb 13, 2025 04:00AM

ka...@google.com <ka...@google.com> #2Feb 13, 2025 05:29AM

Add comment

Issue metadata