Custom token generation (?!?!)

299 views
Skip to first unread message

Joon Yee Chuah

unread,
Aug 6, 2016, 7:23:52 PM8/6/16
to Firebase Google Group
According to the docs, I can create a custom token and authenticate with REST:

var jwtClient = new google.auth.JWT(key.client_email, null, key.private_key, ["https://www.googleapis.com/auth/firebase.database", "https://www.googleapis.com/auth/userinfo.email"], null);

jwtClient.authorize(function(error, tokens) {
    if (tokens) {
      var es = new EventSource(url + "?access_token=" + tokens);
      ...
    }
  }
}

But with the current google-auth-library, I can't attach a UID to the payload... unless I seriously modify the auth library. When I try to use

var token = firebase.auth().createCustomToken("my-uid");
var es = new EventSource(url + "?access_token=" + token);
...

I get an error 403. (My database rules are ".read" : "auth != null"). 

I've also tried generating my own access token:

    var key = require('./' + process.env.SERVICEACCOUNTFILE);
    var payload  = {
      "uid" : "my-uid",
      "iat" : Math.floor(Date.now() / 1000),
      "exp" : Math.floor(Date.now() / 1000 + 3600),
      "iss" : key.client_email,
      "sub" : key.client_email,
      "aud" : "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
    };
    var token = jwt.sign(payload, key.private_key,
      {
        algorithm: 'RS256'
      }
    );

and I still get an error 403.

Are custom tokens supposed to be able to work with Firebase REST endpoints?

Kato Richardson

unread,
Aug 6, 2016, 7:36:26 PM8/6/16
to Firebase Google Group

Hi Joon,

This isn't my specialty, but have you tried printing out the URL you’re passing into EventSource? I suspect it’s not formatted quite how you expect here.

Michael Bleigh has an excellent example of REST auth using custom tokens here. I see that he uses tokens.access_token, where you’re directly trying to include tokens in your URL, which doesn’t seem quite right.

Note that he also passes the auth token as part of the headers, at the Authorization: Bearer... line. I’m not positive that what you have here wouldn’t work, but it does look a bit different than the recommended practice.

Again, I'm not very experienced here, but maybe those are good starting points for troubleshooting?

☼, Kato


--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/4c458de6-364d-41a3-95dd-0a29045b8625%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

Kato Richardson | Developer Programs Eng | kato...@google.com | 775-235-8398

Joon Yee Chuah

unread,
Aug 6, 2016, 8:10:45 PM8/6/16
to Firebase Google Group
If I'm using Michael Bleigh's example, I can get REST to work (including using ?access_token= embedded in the URL). However, I can't pass in a UID to google-auth-library's implementation of JWT, which is why I was trying to get a custom token to work. I went ahead and did the following to generate a custom JWT token:

    var payload  = {
      "uid" : "my-uid",
      "iat" : Math.floor(Date.now() / 1000),
      "exp" : Math.floor(Date.now() / 1000 + 3600),
      "iss" : key.client_email,
      "sub" : key.client_email,
      "aud" : "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
    };
    var token = jwt.sign(payload, key.private_key,
      {
        algorithm: 'RS256'
      }
    );

   console.log(token);


... then went ahead and did:

curl --header "Authorization: Bearer <token>" http://myfirebase.firebaseio.com/test.json


Still got a 403.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/4c458de6-364d-41a3-95dd-0a29045b8625%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Joon Yee Chuah

unread,
Aug 6, 2016, 8:12:32 PM8/6/16
to Firebase Google Group
Also, there's a typo on:


Using the access token

The Database REST API will accept access_token=<TOKEN> on the query string or header Authenticate: Bearer <TOKEN> to authenticate a request with a service account.

Joon Yee Chuah

unread,
Aug 6, 2016, 8:42:21 PM8/6/16
to Firebase Google Group
I figured it out. I stuck in a debug claim, and Firebase sent back an authorization debug statement saying it couldn't find the 'kid' claim. 'kid' claims exist only in ID Tokens -- not custom tokens. That means that you have to use an ID token (such as one generated by google-auth-library) in the REST authorization header, and custom tokens will not work.

On Saturday, August 6, 2016 at 7:10:45 PM UTC-5, Joon Yee Chuah wrote:

Jacob Wenger

unread,
Aug 8, 2016, 9:16:33 PM8/8/16
to fireba...@googlegroups.com
Hey Joon,

Glad you got things figured out! Sorry for the confusion. Here are some random thoughts:
  • We are improving the error messages from our REST API to give you more details than just "invalid or missing kid."
  • You are right that custom tokens cannot be used against the REST API directly. You must use an ID token or a Google access token with the REST API.
  • Some more information on server auth is provided here in case you haven't seen it.
Jacob

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages