By deploying a web application behind Identity-Aware-Proxy (IAP), we can ensure that an application only receives requests that are authenticated and satisfy the context-aware access rules we’ve configured. In zero-trust lingo, that means IAP is a policy enforcement point. But there are still a few things that the web application needs to do itself. In a previous post, we looked at how IAP works, and saw that IAP injects a special X-Goog-Iap-Jwt-Assertion header into each request that it pa...
