I am trying to access a resource protected by Google Cloud IAP from my iOS app.

I am able to login to my Google account from the app and receive an ID token, but I receive the following response with HTTP error code 401 when setting the ID token as Bearer token in the Authorization header for the resource I would like to request.

"There was a problem with your request. Error code 13"

I tried to send the request with Postman, but this also resulted with the same error.

I use the following code for setting the client ID from the downloaded credentials.plist file.

if let path = Bundle.main.path(forResource: "credentials", ofType: "plist") {
   let nsDictionary = NSDictionary(contentsOfFile: path)
   let clientId = nsDictionary!["CLIENT_ID"] as? String

   GIDSignIn.sharedInstance().clientID = clientId
   GIDSignIn.sharedInstance().delegate = self
   GIDSignIn.sharedInstance().uiDelegate = self;
}

Afterwards I sign into Google.

if GIDSignIn.sharedInstance().hasAuthInKeychain() {
   GIDSignIn.sharedInstance().signInSilently()
} else {
   GIDSignIn.sharedInstance().signIn()
}

After login, I take the idToken and send it to the resource protected by Google Cloud IAP.

func sign(_ signIn: GIDSignIn!, didSignInFor user: GIDGoogleUser!, withError error: Error!) {
   let token = user.authentication.idToken

   var request = URLRequest(url: URL(string: url)!)

   request.httpMethod = httpMethod
   request.setValue("Bearer \(token)", forHTTPHeaderField: "Authorization")

   URLSession.shared.dataTask(with: request, completionHandler: { data, response, error -> Void in
    }).resume()
}

I would expect a successful response, but currently I receive HTTP error code 401 together with the previously mentioned error message.

Update: As of July 11th, IAP users should now get a more descriptive error than "Error code 13" when there are problems with the token.

Some examples:

$ curl -H 'Authorization: bearer schmearer' $IAP_URL
Invalid IAP credentials: Expected JWT to have 3 parts separated by a '.' but there are 1 parts
$ curl -H 'Authorization: bearer a.b.c' $IAP_URL
Invalid IAP credentials: Base64 decode failed on token: a.b.c
> ^C
msachs@msachs-ubi:~$ curl -H 'Authorization: bearer [real token]' $IAP_URL
Invalid IAP credentials: JWT signature is invalid
msachs@msachs-ubi:~$ curl -H 'Authorization: bearer [real token]' $IAP_URL
Invalid IAP credentials: JWT audience doesn't match this application ('aud' claim (5939454960-[...]) doesn't match expected value (1042451928015-[...]))

"Error code 13" means that IAP doesn't like something about your token. In this case, I think the issue is that you need to set the serverClientId property to the client ID used by your IAP app. You can find this by going to the IAP console, finding the resource you're connecting to, and selecting "Edit OAuth Client" from the overflow menu in that resource's table row.

Our documentation seems to be missing that step, I'll get that taken care of. (Thanks for flagging that!)