Skip to content

IAP authorization fails due to audience field in refresh token request #17

New issue
New issue
Open
Open
IAP authorization fails due to audience field in refresh token request#17
@aestiff

Description

@aestiff
aestiff
opened on Dec 10, 2024

I've been trying to set up a gitea instance on a small GCP VM running an Apache reverse proxy behind IAP. The instance works fine through browser workflows, but needed access through Git CLI. I installed and set up git-remote-https+iap per the readme, but kept getting 401s (verified that they originated from IAP; the apache server never saw these requests) when trying to clone a test repo. TL;DR: I was able to fix the problem by removing the audience field from the POST to exchange the refresh token for an authorization. I was finally clued in to this because manually following the OAuth workflow in the GCP docs for Authenticating from a Desktop App worked fine, and they do not include the audience in the refresh request.

I do not know enough about OAuth to know if this problem was due to an API change, a misconfiguration in IAP on my part, or if I'm abusing the software. So I wanted to open this issue to figure out if code changes are warranted, and what behaviors should be supported. I'm happy to submit a PR if someone wants to advise on whether the audience parameter should be configurable, and the best way to expose that configuration. Or, I'd be even happier to let someone else just take care of it. OR, if I've misconfigured my proxy, I'd appreciate any advice there as well.

Note that removing the audience parameter likely obviates the need for storing the service OAuth clientID in the git config.

Expected Behavior

IAP authorizes git traffic to my server

Actual Behavior

IAP returns 401 Unauthorized.

Steps to Reproduce the Problem

  1. Set up IAP on a global HTTPS load balancer in GCP (Console).
  2. Create Desktop client OAuth credential (Console).
  3. Enable new Desktop credential for programmatic access to load balancer backend service per docs (gcloud CLI)
  4. set up git-remote-https+iap per README
  5. git clone https://myserver.com/myrepo.git
  6. fatal: Authentication failed for 'https://myserver.com/myrepo.git (due to 401 returned by IAP)

Specifications

  • Version: 0.3.4
  • Git version: 2.47.0.windows.1
  • Operating System: Win10 22H2 19045.5131

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions