Using Identity-Aware-Proxy and JAX-RS to authenticate users

By deploying a web application behind Identity-Aware-Proxy, we can ensure that an application only receives requests that are authenticated and satisfy the context-aware access rules we’ve configured. But there are still a few things that the web application needs to do itself. Continue »

How IAP Desktop protects TCP tunnels

In the last post, we looked at the risks of using local port forwarding and how it’s difficult to protect TCP tunnels in a multi-user environment. In this post, we take a look at how IAP Desktop protects its tunnels. Continue »

Hijacking other user’s TCP tunnels

If you are a frequent SSH user, then you’ll be familiar with local port forwarding. Creating tunnels by using local port forwarding is useful, easy, but also not without risks. Continue »

Installing Remote Desktop Connection Manager as limited user

Installing the Remote Desktop Connection Manager requires administrator privileges. That can be a problem in a corporate environment where you might not have local administrator rights. Fortunately, there is an easy way to overcome this limitation by performing an administrative installation. Continue »

New version of the Cloud IAP plugin for Remote Desktop released

A few days ago, I released version 1.1.22 of the Cloud IAP plugin for Remote Desktop on Github.

The three main new features in this release are:

A managed implementation of Cloud IAP TCP tunneling
OAuth-based authorization.
Support for custom GCP session lengths.

Continue »

Integrating with Cloud IAP

In the last post, we discussed that each request that Cloud IAP passes to a backend appliation contains a X-Goog-Iap-Jwt-Assertion header. This header contains an IAP JWT assertion that looks a bit like an IdToken, but is not an IdToken. Continue »

Cloud IAP architecture

Conceptually, you can think of Cloud IAP as a reverse proxy that is deployed in front of your corporate application that intercepts all requests to perform authentication and authorization. Continue »

Cloud IAP and its role in zero-trust

At Google Cloud, we run a series of Cloud Summits each year. A Cloud Summit is essentially a mini-version of Cloud NEXT – it lasts one day, features multiple tracks of technical sessions, and is usually held in a location where there is plenty of space for booths where customers can ask questions.

One question that we frequently get at the Ask an Architect or Ask the Expert booth is about Cloud Identity-Aware Proxy - what is it for, how does it work, and how to use it?

In this series of blog posts, I am going to address these questions, one at a time:

Part 1: What is it for? – The role of Cloud IAP in zero-trust (this post)
Part 2: How does it work? – Cloud IAP architecture
Part 3: How to use it – Integrating with Cloud IAP

Continue »