Firebase auth rest api Error 404 (Not Found)

[Arsenio Aguirre]

Hi, I am new using Firebase, I have found the reference for use Firebase Auth REST Api. I would like to know if there is support for this features because it shows an error 404 (Not found) when I try to use by Postman or Curl. I am using the next endpoint:

https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyCustomToken?key=[API_KEY]

The documentation that I am using is:

https://firebase.google.com/docs/reference/rest/auth/?authuser=0

In other link I read that the identitytoolkit is out of service but I want to be sure it is rigth or not.

Thanks for your time.

Regards,

Arsenio

[Kato Richardson]

Hi Arsenio,

First of all, prefer the admin SDKs--those are available in a number of server-side languages at this point.

To directly address your questions, you're likely hitting the wrong endpoint or using the wrong HTTP method (e.g. GET vs POST).

For example, I see that the verifyCustomToken method is called via POST.

☼, Kato

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/5e432b82-1877-48cb-89de-0addccf6659b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Kato Richardson |

Developer Programs Eng |

kato...@google.com |

775-235-8398

[Arsenio Aguirre]

Hi Kato, thanks for your reply.

I am testing the SDK and the rest API for the authentication and firestore database firebase services. I understand that If I use the SDK i need a service account and i can't apply security rules in firestore database to the service account. All users in my application will write by the service account using the SDK. If the service account is compromised they can access to the firestore database. For this reason other option is to use the REST API for write in firestore and apply security rules by the uid of the users. If a user is compromised he can't access to all firestore database. I will check again the URL and method sent by postman to consume the API REST.

Let me know if I am wrong or there is other option to apply security rules using they sdk.

Regards,

Arsenio

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CADypTEaTXRQKUkRf6%3DychKbLJOvR5vThx1KJXv2fG0z68Cf2GA%40mail.gmail.com.

[Kato Richardson]

The fact that you can't apply security rules to the write is annoying, but there is otherwise no difference between using the Admin SDK and REST API in this scenario. You still need the client to send something identifiable in order to perform the write. Via REST, they send their Auth ID token. If they are contacting your server, they can still do this. You would just call verifyIdToken() on it to validate that they are who they say. You would need to verify that the write is valid in your server process rather than just depending on security rules, but generally doable.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CANE-FxoROBNJ6YHQoc0C%2Bnp%3D6W-v0QRGU1o7Oc55V7EcU2nq9Q%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.