If you are using Identity Platform multi-tenancy, select the tenant
associated with your IAP resource.
Locate Google in the list of providers, and click Edit.
Under Allowed client IDs, click Add.
Enter the client ID you obtained in the previous section.
Click Save.
Exchanging a Google token for an Identity Platform token
When you first authenticate with Google, Identity Platform will return a
Google ID token. You can then exchange it for an Identity Platform token
by calling
signInWithIdp:
Node.js
import*asfirebasefrom'firebase/app';import'firebase/auth';constconfig={apiKey:'...',};firebase.initializeApp(config);constcred=firebase.auth.GoogleAuthProvider.credential(google_oidc_id_token);firebase.auth().signInWithCredential(cred).then((userCredential)=>{returnuserCredential.user.getIdToken();}).then((gcipIdToken)=>{// This token can now be used to access the resource.}).catch((error)=>{// Error occurred.});
Note that external identities do not support IAM, so you'll
need to manually update your app's access control to grant access to your
service account. See
JWTs for external identities
to learn more.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Using service accounts with external identities\n\nThis article shows you how to authenticate using service accounts when you're\nusing Identity-Aware Proxy (IAP) with external identities.\n\nObtaining your client ID and secret\n-----------------------------------\n\n1. Go to the IAP page in the Google Cloud console.\n\n\n [Go to the IAP page](https://console.cloud.google.com/security/iap)\n2. Click the **APPLICATIONS** tab.\n\n3. Locate the app to configure to use service accounts.\n\n4. Select **Go to OAuth configuration** from the overflow menu.\n\nA page displaying the client ID and secret for your app appears. You'll need\nthese to configure Identity Platform in the next section.\n\nConfiguring Google as an identity provider\n------------------------------------------\n\nIf your Identity Platform project isn't already using Google for\nauthentication, create a new configuration using your client ID and secret:\n\n1. Go to the **Identity Platform Providers** page in the\n Google Cloud console. \n\n [Go to the Identity Providers page](https://console.cloud.google.com/customer-identity/providers) \n\n2. If you are using Identity Platform multi-tenancy, select the tenant\n associated with your IAP resource.\n\n3. Click **Add provider**.\n\n4. Select **Google** from the list of providers.\n\n5. Under **Web SDK configuration**, enter the client ID and secret you obtained\n in the previous section.\n\n6. Click **Save**.\n\nIf you're already using Google authentication, you can use your client\nID instead. This won't disrupt your existing users.\n\n1. Go to the **Identity Platform Providers** page in the\n Google Cloud console. \n\n [Go to the Identity Providers page](https://console.cloud.google.com/customer-identity/providers) \n\n2. If you are using Identity Platform multi-tenancy, select the tenant\n associated with your IAP resource.\n\n3. Locate **Google** in the list of providers, and click **Edit**.\n\n4. Under **Allowed client IDs** , click **Add**.\n\n5. Enter the client ID you obtained in the previous section.\n\n6. Click **Save**.\n\nExchanging a Google token for an Identity Platform token\n--------------------------------------------------------\n\nWhen you first authenticate with Google, Identity Platform will return a\nGoogle ID token. You can then exchange it for an Identity Platform token\nby calling\n[`signInWithIdp`](/identity-platform/docs/reference/rest/client#section-sign-in-with-oauth-credential): \n\n### Node.js\n\n import * as firebase from 'firebase/app';\n import 'firebase/auth';\n\n const config = {\n apiKey: '...',\n };\n firebase.initializeApp(config);\n const cred = firebase.auth.GoogleAuthProvider.credential(google_oidc_id_token);\n firebase.auth().signInWithCredential(cred)\n .then((userCredential) =\u003e {\n return userCredential.user.getIdToken();\n })\n .then((gcipIdToken) =\u003e {\n // This token can now be used to access the resource.\n })\n .catch((error) =\u003e {\n // Error occurred.\n });\n\n### Python\n\n SIGN_IN_WITH_IDP_API = 'https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp'\n\n def exchange_google_id_token_for_gcip_id_token(api_key, tenant_id, google_open_id_connect_token):\n url = SIGN_IN_WITH_IDP_API + '?key=' + api_key\n data={'requestUri': 'http://localhost',\n 'returnSecureToken': True,\n 'postBody':'id_token=' + google_open_id_connect_token + '&providerId=google.com',\n 'tenantId': tenant_id}\n resp = requests.post(url, data)\n res = resp.json()\n return res['idToken']\n\n### REST\n\nRequest: \n\n```\nPOST https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp?key=API-KEY\n```\n\nBody: \n\n```\n{\n\"postBody\":\"id_token=GOOGLE-ID-TOKEN&providerId=google.com\"\n\"requestUri\": \"http://localhost\",\n\"returnIdpCredential\": true,\n\"returnSecureToken\": true,\n\"tenantId\": \"TENANT-ID\"\n}\n```\n\nInclude the Identity Platform ID token in your authorization header to access resources by IAP: \n\n```text\ncurl -H \"Authorization: Bearer GCIP-ID-TOKEN\" \"https://example.appspot.com/api\"\n```\n\nNote that external identities do not support IAM, so you'll\nneed to manually update your app's access control to grant access to your\nservice account. See\n[JWTs for external identities](/iap/docs/signed-headers-howto#jwts_for_external_identities)\nto learn more."]]
