Invalid IAP credentials: JWT audience doesn't match this application

Question

We have a Django application is hosted on GCP cloud run and sits behind IAP for user authentication. Our use case was to generate token on a local machine by a user and after getting the token. Followed IAP Programmatic authentication but was getting the following error.

Invalid IAP credentials: JWT audience doesn't match this application ('aud' claim (xxxxxxxx.apps.googleusercontent.com) doesn't match expected value (yyyyyyyy.apps.googleusercontent.com)

Expected result was a JSON response with token in it.

Answer 1

We solved the following issue by passing an 'audience' body param to the following code and tweaking original doc provided by GCP:

curl --verbose \
  --data client_id=DESKTOP_CLIENT_ID \
  --data client_secret=DESKTOP_CLIENT_SECRET \
  --data code=AUTH_CODE \
  --data redirect_uri=http://localhost:4444 \
  --data audience=IAP_OAUTH_ID \
  --data grant_type=authorization_code \
  https://oauth2.googleapis.com/token

This IAP_OAUTH_ID is auto-generated by GCP when you turn on the IAP and is present under OAuth 2.0 Client IDs in APIs & services > Credentials section of GCP.

Our guess is when we try to generate token for IAP using our local machine without passing 'audience' in the body, it does generate token but for some other instance of IAP which obviously won't work with the one hosted on GCP, which is sitting in front of cloud run load balancer.

Therefore to make it work correct instance of IAP for which token is getting generated also has to be passed, which is done using the audience body param.