You can configure custom OAuth clients in Identity-Aware Proxy by using the Google Cloud console; the feature is generally available (GA). You must use custom OAuth clients to do the following:
Configure IAP for users who are outside of an organization.
Customize the OAuth consent screen with custom branding.
Provide default OAuth clients for inherited applications across all IAP-protected resources at the organization or project level.
For more information, see Use custom OAuth clients with IAP.
]]>The ability to use a path wildcard in the aud (audience) field when using a
service account JWT to authenticate with an IAP-secured resource
is generally available.
For more information, see Authenticate with a service account JWT.
]]>Identity-Aware Proxy (IAP) now charges quota for programmatic and browser user requests independently. If you use IAP for programmatic workloads and have browser users within the same project, this change provides an improved representation of quota consumption.
For more information, see How can I address quota exceeded errors.
]]>Preview: You can now enable IAP directly on your Cloud Run services without configuring load balancers.
For more information, see Configure Identity-Aware Proxy for Cloud Run.
]]>Generally available: You can configure Workforce Identity Federation with IAP, and use an external identity provider (IdP) to authenticate and authorize a workforce—a group of users, such as employees, partners, and contractors—using Identity and Access Management (IAM), so that the users can securely access services deployed on Google Cloud or on-premises.
For more information, see Configure IAP with Workforce Identity Federation.
Generally available: Support for service account JWT authentication for Identity Platform and Workforce Identity Federation configured applications. For more information, see Authenticating with a service account JWT.
]]>Preview: You can now use authorization policies to delegate authorization to Identity-Aware Proxy (IAP) and Identity and Access Management (IAM). For more information, see Use authorization policies to delegate authorization to IAP and IAM.
]]>On February 14, 2024, the Cloud Audit Logging (CAL) type was inadvertently
changed from DATA_ACCESS to ADMIN_ACTIVITY. This change causes a change in the log name and log bucket location for the UpdateIapSettings and ValidateIapAttributeExpression methods.
The CAL type has been changed back to DATA_ACCESS.
Generally Available: Service accounts can now use JSON Web Tokens (JWTs) to programmatically access resources protected by Identity-Aware Proxy (IAP). This provides a streamlined authentication process for workloads accessing IAP-protected applications and services. For more information, see Programmatic authentication.
]]>Identity-Aware Proxy (IAP) now supports Workforce Identity Federation for application access. You can now use your extended workforce identities to access IAP-protected applications without having to sync your identities into Cloud Identity. For more information, see Configure IAP with Workforce Identity Federation.
]]>WebSocket support for managing Compute Engine resource sessions is now available. For more information, see Managing IAP sessions .
]]>Effective January 12, 2024, a BeyondCorp Enterprise license is no longer required to deploy internal applications with an internal load balancer when securing those applications with Identity-Aware Proxy. This provides a consistent experience when using Identity-Aware Proxy with all load balancers.
]]>A BeyondCorp Enterprise license is no longer required when configuring Identity-Aware Proxy with an internal load balancer.
This note is incomplete; see entry for February 1, 2024.
]]>Authenticating users with a Google-managed OAuth client and allowlisting OAuth clients for programmatic access are available in Preview.
]]>Support for Identity-aware Proxy (IAP) with Cloud Run to use identity and context to guard access to your applications is now at general availability (GA).
]]>Security bulletin c2agxr12ne
Certain Google Cloud load balancers routing to an Identity-Aware Proxy enabled Backend Service could have been vulnerable to an untrusted party under limited conditions.
For details, see GCP-2021-020
]]>The ability to authenticate users with external identities is now generally available.
]]>API for OAuth clients now generally available
You can now programmatically create OAuth clients in IAP via REST or gcloud. See this topic for more information.
]]>Cloud IAP TCP forwarding general availability release
Using Cloud IAP for TCP forwarding is now generally available. Cloud IAP for TCP forwarding lets you control who can access administrative services like SSH and RDP on your backends.
]]>Cloud IAP with context-aware access general availability release
The ability to extend Cloud IAP access policies with access levels and the IAM Conditions Framework is now generally available.
]]>Cloud IAP for on-premises apps general availability release
You can now manage access to HTTP-based apps outside of Google Cloud Platform. This includes apps on-premises in your enterprise's data centers and on other cloud providers.
]]>Cloud IAP Per-Resource Policies general availability release
The ability to manage Cloud IAP policies for each individual resource in a Google Cloud Platform project is now generally available.
]]>Cloud IAP TCP forwarding beta release
You can now use Cloud IAP for TCP forwarding, allowing you to control who can access administrative services like SSH and RDP on your backends.
]]>Cloud IAP with context-aware access beta release
Cloud IAP access policies for Cloud IAP-secured applications, services, and versions have been extended to use access levels and the IAM Conditions Framework. Access levels allow access restrictions to resources based on IP address and end-user device attributes. IAM conditions allow access restrictions based on URL hosts, paths, date, and time.
]]>Cloud IAP Per-Resource Policies beta release
Cloud IAP policies can now be managed for each individual resource in a GCP project.
]]>Welcome to the Cloud IAP general release for App Engine standard environment, Compute Engine, and GKE!
Java code samples were updated with security enhancements on August 15, 2017. If you're using the Java signed headers code sample, please update your application per the current samples.
AJAX requests with missing or expired credentials will now get an HTTP 401 response instead of being served a Google login page.
Cloud IAP now supports Cloud Audit Logging. Learn about enabling Cloud Audit Logging.
When you use the programmatic authentication feature, the aud claim in the JWT must now be the Cloud IAP client ID. Previously, it could also be the application URL. For applications that used programmatic authentication recently, we placed this feature on our whitelist. We will remove the functionality on November 15, 2017. For details and updated code samples, refer to programmatic authentication.
Cloud IAP now supports desktop and command-line applications. Learn about authenticating from a desktop app.
Cloud IAP for App Engine flexible environment is still in beta. This feature is not covered by any SLA or deprecation policy and may be subject to backward-incompatible changes for App Engine flexible environment.
Due to internal security enhancements, App Engine standard environment apps no longer require login: required in app.yaml (or security-constraint for Java).
Forseti Security is now available and strongly encouraged for Compute Engine apps. If you have any questions or require assistance, please post to discuss@forsetisecurity.org.
]]>Cloud IAP can once again be enabled for App Engine flexible environment apps.
]]>Cloud IAP now supports special URLs to help you enhance and personalize your app.
]]>Cloud IAP now uses the following values when you secure your app with signed headers:
x-goog-iap-jwt-assertion instead of x-goog-authenticated-user-jwt.aud value should now be a string with client ID details instead of a URL.Added best practices for caching.
]]>Cloud Audit Logging is now available for Cloud IAP-secured resources. Read about how to Enable Cloud Audit Logging.
The Cloud IAP 403 "failed access" page now includes product and email details from the OAuth consent screen. As with the login page, these details are publicly visible to anyone who accesses your URL. You can change the information that displays on the OAuth consent screen.
]]>