当您首次向 Google 进行身份验证时,Identity Platform 将返回一个 Google ID 令牌。然后,您可以通过调用 signInWithIdp 用它交换 Identity Platform 令牌:
Node.js
import*asfirebasefrom'firebase/app';import'firebase/auth';constconfig={apiKey:'...',};firebase.initializeApp(config);constcred=firebase.auth.GoogleAuthProvider.credential(google_oidc_id_token);firebase.auth().signInWithCredential(cred).then((userCredential)=>{returnuserCredential.user.getIdToken();}).then((gcipIdToken)=>{// This token can now be used to access the resource.}).catch((error)=>{// Error occurred.});
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[],[],null,["# Using service accounts with external identities\n\nThis article shows you how to authenticate using service accounts when you're\nusing Identity-Aware Proxy (IAP) with external identities.\n\nObtaining your client ID and secret\n-----------------------------------\n\n1. Go to the IAP page in the Google Cloud console.\n\n\n [Go to the IAP page](https://console.cloud.google.com/security/iap)\n2. Click the **APPLICATIONS** tab.\n\n3. Locate the app to configure to use service accounts.\n\n4. Select **Go to OAuth configuration** from the overflow menu.\n\nA page displaying the client ID and secret for your app appears. You'll need\nthese to configure Identity Platform in the next section.\n\nConfiguring Google as an identity provider\n------------------------------------------\n\nIf your Identity Platform project isn't already using Google for\nauthentication, create a new configuration using your client ID and secret:\n\n1. Go to the **Identity Platform Providers** page in the\n Google Cloud console. \n\n [Go to the Identity Providers page](https://console.cloud.google.com/customer-identity/providers) \n\n2. If you are using Identity Platform multi-tenancy, select the tenant\n associated with your IAP resource.\n\n3. Click **Add provider**.\n\n4. Select **Google** from the list of providers.\n\n5. Under **Web SDK configuration**, enter the client ID and secret you obtained\n in the previous section.\n\n6. Click **Save**.\n\nIf you're already using Google authentication, you can use your client\nID instead. This won't disrupt your existing users.\n\n1. Go to the **Identity Platform Providers** page in the\n Google Cloud console. \n\n [Go to the Identity Providers page](https://console.cloud.google.com/customer-identity/providers) \n\n2. If you are using Identity Platform multi-tenancy, select the tenant\n associated with your IAP resource.\n\n3. Locate **Google** in the list of providers, and click **Edit**.\n\n4. Under **Allowed client IDs** , click **Add**.\n\n5. Enter the client ID you obtained in the previous section.\n\n6. Click **Save**.\n\nExchanging a Google token for an Identity Platform token\n--------------------------------------------------------\n\nWhen you first authenticate with Google, Identity Platform will return a\nGoogle ID token. You can then exchange it for an Identity Platform token\nby calling\n[`signInWithIdp`](/identity-platform/docs/reference/rest/client#section-sign-in-with-oauth-credential): \n\n### Node.js\n\n import * as firebase from 'firebase/app';\n import 'firebase/auth';\n\n const config = {\n apiKey: '...',\n };\n firebase.initializeApp(config);\n const cred = firebase.auth.GoogleAuthProvider.credential(google_oidc_id_token);\n firebase.auth().signInWithCredential(cred)\n .then((userCredential) =\u003e {\n return userCredential.user.getIdToken();\n })\n .then((gcipIdToken) =\u003e {\n // This token can now be used to access the resource.\n })\n .catch((error) =\u003e {\n // Error occurred.\n });\n\n### Python\n\n SIGN_IN_WITH_IDP_API = 'https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp'\n\n def exchange_google_id_token_for_gcip_id_token(api_key, tenant_id, google_open_id_connect_token):\n url = SIGN_IN_WITH_IDP_API + '?key=' + api_key\n data={'requestUri': 'http://localhost',\n 'returnSecureToken': True,\n 'postBody':'id_token=' + google_open_id_connect_token + '&providerId=google.com',\n 'tenantId': tenant_id}\n resp = requests.post(url, data)\n res = resp.json()\n return res['idToken']\n\n### REST\n\nRequest: \n\n```\nPOST https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp?key=API-KEY\n```\n\nBody: \n\n```\n{\n\"postBody\":\"id_token=GOOGLE-ID-TOKEN&providerId=google.com\"\n\"requestUri\": \"http://localhost\",\n\"returnIdpCredential\": true,\n\"returnSecureToken\": true,\n\"tenantId\": \"TENANT-ID\"\n}\n```\n\nInclude the Identity Platform ID token in your authorization header to access resources by IAP: \n\n```text\ncurl -H \"Authorization: Bearer GCIP-ID-TOKEN\" \"https://example.appspot.com/api\"\n```\n\nNote that external identities do not support IAM, so you'll\nneed to manually update your app's access control to grant access to your\nservice account. See\n[JWTs for external identities](/iap/docs/signed-headers-howto#jwts_for_external_identities)\nto learn more."]]