diff --git a/README.md b/README.md
index 61281c1f694..f0920bdd291 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,7 @@ Technology Samples:
* [Bigquery](bigquery)
* [Datastore](datastore)
* [Endpoints](endpoints)
+* [Identity-Aware Proxy](iap)
* [Key Management Service](kms)
* [Logging](logging)
* [Monitoring](monitoring)
diff --git a/appengine/iap/README.md b/appengine/iap/README.md
new file mode 100644
index 00000000000..39ca52ea4f7
--- /dev/null
+++ b/appengine/iap/README.md
@@ -0,0 +1,37 @@
+# Cloud Identity-Aware Proxy sample for Google App Engine
+
+This sample demonstrates how to use the [Cloud Identity-Aware Proxy][iap-docs] on [Google App
+Engine][ae-docs].
+
+[iap-docs]: https://cloud.google.com/iap/docs/
+[ae-docs]: https://cloud.google.com/appengine/docs/java/
+
+## Setup
+
+Install the [Google Cloud SDK](https://cloud.google.com/sdk/) and run:
+```
+ gcloud init
+```
+If this is your first time creating an App engine application:
+```
+ gcloud app create
+```
+
+## Running locally
+
+This application depends on being enabled behind an IAP, so this program should not be run locally.
+
+## Deploying
+
+- Deploy the application to the project
+ ```
+ mvn clean appengine:deploy
+ ```
+- [Enable](https://cloud.google.com/iap/docs/app-engine-quickstart) Identity-Aware Proxy on the App Engine app.
+- Add the email account you'll be running the test as to the Identity-Aware Proxy access list for the project.
+
+## Test
+
+Once deployed, access `https://your-project-id.appspot.com` . This should now prompt you to sign in for access.
+Sign in with the email account that was added to the Identity-Aware proxy access list.
+You should now see the jwt token that was received from the IAP server.
diff --git a/appengine/iap/pom.xml b/appengine/iap/pom.xml
new file mode 100644
index 00000000000..15b6cd930d8
--- /dev/null
+++ b/appengine/iap/pom.xml
@@ -0,0 +1,57 @@
+
+
+ 4.0.0
+ war
+ 1.0-SNAPSHOT
+ com.example.appengine
+ appengine-iap
+
+
+ com.google.cloud
+ appengine-doc-samples
+ 1.0.0
+ ..
+
+
+
+ javax.servlet
+ servlet-api
+ 2.5
+ provided
+
+
+
+
+ ${project.build.directory}/${project.build.finalName}/WEB-INF/classes
+
+
+ org.apache.maven.plugins
+ 3.3
+ maven-compiler-plugin
+
+ 1.7
+ 1.7
+
+
+
+ com.google.cloud.tools
+ appengine-maven-plugin
+ 1.3.1
+
+
+
+
diff --git a/appengine/iap/src/main/java/com/example/appengine/iap/JwtServlet.java b/appengine/iap/src/main/java/com/example/appengine/iap/JwtServlet.java
new file mode 100644
index 00000000000..b6f7d95584f
--- /dev/null
+++ b/appengine/iap/src/main/java/com/example/appengine/iap/JwtServlet.java
@@ -0,0 +1,34 @@
+/**
+ * Copyright 2017 Google Inc.
+ *
+ *
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of the License at
+ *
+ *
Unless required by applicable law or agreed to in writing, software distributed under the
+ * License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.example.appengine.iap;
+
+import java.io.IOException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Identity Aware Proxy (IAP) Test application to reflect jwt token issued by IAP. IAP must be
+ * enabled on application. {@see https://cloud.google.com/iap/docs/app-engine-quickstart}
+ */
+@SuppressWarnings("serial")
+public class JwtServlet extends HttpServlet {
+
+ private static final String IAP_JWT_HEADER = "x-goog-authenticated-user-jwt";
+
+ @Override
+ public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ resp.getWriter().print(IAP_JWT_HEADER + ":" + req.getHeader(IAP_JWT_HEADER));
+ }
+}
diff --git a/appengine/iap/src/main/webapp/WEB-INF/appengine-web.xml b/appengine/iap/src/main/webapp/WEB-INF/appengine-web.xml
new file mode 100644
index 00000000000..b30cd159e63
--- /dev/null
+++ b/appengine/iap/src/main/webapp/WEB-INF/appengine-web.xml
@@ -0,0 +1,16 @@
+
+
+
+ true
+
diff --git a/appengine/iap/src/main/webapp/WEB-INF/web.xml b/appengine/iap/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 00000000000..b4a68e55196
--- /dev/null
+++ b/appengine/iap/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,14 @@
+
+
+
+ hello
+ com.example.appengine.iap.JwtServlet
+
+
+ hello
+ /
+
+
diff --git a/appengine/pom.xml b/appengine/pom.xml
index 151a4d840d9..2950bd7651c 100644
--- a/appengine/pom.xml
+++ b/appengine/pom.xml
@@ -61,6 +61,7 @@
guestbook-objectifyhelloworldhelloworld-new-plugins
+ iapimageslogsmailgun
diff --git a/iap/README.md b/iap/README.md
new file mode 100644
index 00000000000..75238df3966
--- /dev/null
+++ b/iap/README.md
@@ -0,0 +1,34 @@
+# Cloud Identity-Aware Proxy Java Samples
+Cloud Identity-Aware Proxy (Cloud IAP) lets you manage access to applications running in Compute Engine, App Engine standard environment, and Container Engine. Cloud IAP establishes a central authorization layer for applications accessed by HTTPS, enabling you to adopt an application-level access control model instead of relying on network-level firewalls. When you enable Cloud IAP, you must also use signed headers or the App Engine standard environment Users API to secure your app.
+
+## Setup
+- A Google Cloud project with billing enabled
+- A service account with private key credentials is required to create signed bearer tokens.
+ - [Create an App engine service account](https://cloud.google.com/docs/authentication#getting_credentials_for_server-centric_flow) and download the credentials file as JSON.
+ - Set the environment variable `GOOGLE_APPLICATION_CREDENTIALS` to point to the service account credentials file.
+- Install the [Google Cloud SDK](https://cloud.google.com/sdk/) and run:
+```
+ gcloud init
+```
+
+## Description
+- [BuildIapRequest.java](src/main/java/com/example/iap/BuildIapRequest.java) demonstrates how to set the
+`Authorization : Bearer` header with a signed JWT token to authorize access to an IAP protected URL.
+- [VerifyIapRequestHeader.java](src/main/java/com/example/iap/VerifyIapRequestHeader.java) demonstrates how to
+verify the JWT token in an incoming request to an IAP protected resource.
+
+## Testing
+- Deploy the [demo app engine application](../appengine/iap/README.md). This application will return the JWT token to an authorized incoming request.
+It will be used to test both the authorization of an incoming request to an IAP protected resource and the JWT token returned from IAP.
+- [Enable](https://cloud.google.com/iap/docs/app-engine-quickstart) Identity-Aware Proxy on the App Engine app.
+- Add the service account email to the Identity-Aware Proxy access list for the project.
+- Set the environment variable `IAP_PROTECTED_URL` to point to `https://your-project-id.appspot.com`
+- Run the integration test:
+```
+ mvn -Dtest=com.example.iap.BuildAndVerifyIapRequestIT verify
+```
+
+## References
+[JWT library for Java](https://github.com/auth0/java-jwt)
+[Cloud IAP docs](https://cloud.google.com/iap/docs/)
+[Service account credentials](https://cloud.google.com/docs/authentication#getting_credentials_for_server-centric_flow)
diff --git a/iap/pom.xml b/iap/pom.xml
new file mode 100644
index 00000000000..4f01bf5fdde
--- /dev/null
+++ b/iap/pom.xml
@@ -0,0 +1,69 @@
+
+
+
+
+ 4.0.0
+ jar
+ com.example
+ iap-samples
+ 1.0-SNAPSHOT
+
+
+ 1.8
+ 1.8
+ UTF-8
+
+
+
+
+
+ com.fasterxml.jackson.core
+ jackson-core
+ 2.8.6
+
+
+
+
+
+
+ javax.servlet
+ javax.servlet-api
+ 3.1.0
+
+
+
+
+ com.google.auth
+ google-auth-library-oauth2-http
+ 0.6.0
+
+
+ com.auth0
+ java-jwt
+ 3.2.0
+
+
+
+
+
+ junit
+ junit
+ 4.12
+
+
+
+
diff --git a/iap/src/main/java/com/example/iap/BuildIapRequest.java b/iap/src/main/java/com/example/iap/BuildIapRequest.java
new file mode 100644
index 00000000000..c5467f37d62
--- /dev/null
+++ b/iap/src/main/java/com/example/iap/BuildIapRequest.java
@@ -0,0 +1,135 @@
+/**
+ * Copyright 2017 Google Inc.
+ *
+ *
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of the License at
+ *
+ *
Unless required by applicable law or agreed to in writing, software distributed under the
+ * License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.example.iap;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.google.api.client.http.GenericUrl;
+import com.google.api.client.http.HttpHeaders;
+import com.google.api.client.http.HttpRequest;
+import com.google.api.client.http.HttpRequestFactory;
+import com.google.api.client.http.HttpResponse;
+import com.google.api.client.http.HttpTransport;
+import com.google.api.client.http.UrlEncodedContent;
+import com.google.api.client.http.javanet.NetHttpTransport;
+import com.google.api.client.json.JsonObjectParser;
+import com.google.api.client.json.jackson2.JacksonFactory;
+import com.google.api.client.util.GenericData;
+import com.google.auth.oauth2.GoogleCredentials;
+import com.google.auth.oauth2.ServiceAccountCredentials;
+import java.io.IOException;
+import java.net.URL;
+import java.security.interfaces.RSAPrivateKey;
+import java.time.Clock;
+import java.time.Instant;
+import java.util.Collections;
+import java.util.Date;
+
+public class BuildIapRequest {
+ // [START generate_iap_request]
+ private static final String IAM_SCOPE = "https://www.googleapis.com/auth/iam";
+ private static final String OAUTH_TOKEN_URI = "https://www.googleapis.com/oauth2/v4/token";
+ private static final String JWT_BEARER_TOKEN_GRANT_TYPE =
+ "urn:ietf:params:oauth:grant-type:jwt-bearer";
+ private static final long EXPIRATION_TIME_IN_SECONDS = 3600L;
+
+ private static final HttpTransport httpTransport = new NetHttpTransport();
+
+ private static Clock clock = Clock.systemUTC();
+
+ private BuildIapRequest() {}
+
+ private static String getBaseUrl(URL url) throws Exception {
+ String urlFilePath = url.getFile();
+ int pathDelim = urlFilePath.lastIndexOf('/');
+ String path = (pathDelim > 0) ? urlFilePath.substring(0, pathDelim) : "";
+ return (url.getProtocol() + "://" + url.getHost() + path).trim();
+ }
+
+ private static ServiceAccountCredentials getCredentials() throws Exception {
+ GoogleCredentials credentials =
+ GoogleCredentials.getApplicationDefault().createScoped(Collections.singleton(IAM_SCOPE));
+ // service account credentials are required to sign the jwt token
+ if (credentials == null || !(credentials instanceof ServiceAccountCredentials)) {
+ throw new Exception("Google credentials : service accounts credentials expected");
+ }
+ return (ServiceAccountCredentials) credentials;
+ }
+
+ private static String getSignedJWToken(ServiceAccountCredentials credentials, String baseUrl)
+ throws IOException {
+ Instant now = Instant.now(clock);
+ long expirationTime = now.getEpochSecond() + EXPIRATION_TIME_IN_SECONDS;
+ // generate jwt signed by service account
+ return JWT.create()
+ .withKeyId(credentials.getPrivateKeyId())
+ .withAudience(OAUTH_TOKEN_URI)
+ .withIssuer(credentials.getClientEmail())
+ .withSubject(credentials.getClientEmail())
+ .withIssuedAt(Date.from(now))
+ .withExpiresAt(Date.from(Instant.ofEpochSecond(expirationTime)))
+ .withClaim("target_audience", baseUrl)
+ .sign(Algorithm.RSA256(null, (RSAPrivateKey) credentials.getPrivateKey()));
+ }
+
+ private static String getGoogleIdToken(String jwt) throws Exception {
+ final GenericData tokenRequest =
+ new GenericData().set("grant_type", JWT_BEARER_TOKEN_GRANT_TYPE).set("assertion", jwt);
+ final UrlEncodedContent content = new UrlEncodedContent(tokenRequest);
+
+ final HttpRequestFactory requestFactory = httpTransport.createRequestFactory();
+
+ final HttpRequest request =
+ requestFactory
+ .buildPostRequest(new GenericUrl(OAUTH_TOKEN_URI), content)
+ .setParser(new JsonObjectParser(JacksonFactory.getDefaultInstance()));
+
+ HttpResponse response;
+ String idToken = null;
+ response = request.execute();
+ GenericData responseData = response.parseAs(GenericData.class);
+ idToken = (String) responseData.get("id_token");
+ return idToken;
+ }
+
+ public static HttpRequest buildIAPRequest(HttpRequest request) throws Exception {
+ // get service account credentials
+ ServiceAccountCredentials credentials = getCredentials();
+ // get the base url of the request URL
+ String baseUrl = getBaseUrl(request.getUrl().toURL());
+ String jwt = getSignedJWToken(credentials, baseUrl);
+ if (jwt == null) {
+ throw new Exception(
+ "Unable to create a signed jwt token for : "
+ + baseUrl
+ + "with issuer : "
+ + credentials.getClientEmail());
+ }
+
+ String idToken = getGoogleIdToken(jwt);
+ if (idToken == null) {
+ throw new Exception("Unable to retrieve open id token");
+ }
+
+ // Create an authorization header with bearer token
+ HttpHeaders httpHeaders = request.getHeaders().clone().setAuthorization("Bearer " + idToken);
+
+ // create request with jwt authorization header
+ return httpTransport
+ .createRequestFactory()
+ .buildRequest(request.getRequestMethod(), request.getUrl(), request.getContent())
+ .setHeaders(httpHeaders);
+ }
+ // [END generate_iap_request]
+}
diff --git a/iap/src/main/java/com/example/iap/VerifyIapRequestHeader.java b/iap/src/main/java/com/example/iap/VerifyIapRequestHeader.java
new file mode 100644
index 00000000000..9e21fa79547
--- /dev/null
+++ b/iap/src/main/java/com/example/iap/VerifyIapRequestHeader.java
@@ -0,0 +1,163 @@
+/**
+ * Copyright 2017 Google Inc.
+ *
+ *
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of the License at
+ *
+ *