Firebase GO SDK - Can't connect to Realtime database with IdToken

187 views
Skip to first unread message

Martin André

unread,
Jan 5, 2022, 11:39:35 AM1/5/22
to Firebase Google Group
Hey !

I'm trying to connect to my Realtime database using the Go Admin SDK using an option WithTokenSource which use a ReuseTokenSource that implement a custom Token() function.

The custom Token() function will at first fetch a new IdToken from a custom endpoint that create a customToken and exchange it for a real token using
signInWithCustomToken. Doing that I get the idToken and the refreshToken (the idToken is assumed to be the access_token for the oauth2.Token struct).

The issue doing so is that the Realtime database return me "http error status: 401; reason: Unauthorized request." even if the database is in full open mode (read/write = true). I found out that trying with the IdToken by hand with a regular HTTP request does the same if I set the IdToken in access_token params. But if I set the IdToken in the auth params, then it works, so the IdToken I have is correct.

TLDR: How to use an IdToken in the Golang Admin SDK to access the Realtime database ? If it's not possible, would it be necessary to create an issue on Github ?

Thanks for your time !





Hiranya Jayathilaka

unread,
Jan 5, 2022, 2:12:45 PM1/5/22
to fireba...@googlegroups.com
I responded to your question on StackOverflow. Short answer is it's not possible. And using ID tokens for authentication in server-side SDKs is not something we plan to support either. 

ID tokens are meant to be used in client-side applications. They uniquely identify authenticated client users. Using such an identity on a server-side application is often not required with Firebase (and there are security and quota-related reasons for not doing it as well). The typical flow for passing client-side auth context to server-side is:

1. Client authenticates and obtains an ID token. 
2. Client passes the ID token to server-side, where it's verified by the Admin SDK (see ID token verification).
3. Server then authenticates with Firebase backend services via OAuth2, and performs some work on behalf of the client.

If you are looking to implement something that doesn't fit into this pattern, you are probably better off using the RTDB REST API directly.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/9377f8f9-1e34-43fb-904f-61a66cdb316en%40googlegroups.com.


--

Hiranya Jayathilaka | Software Engineer | h...@google.com | 650-203-0128

Martin André

unread,
Jan 5, 2022, 8:01:02 PM1/5/22
to Firebase Google Group
Thanks for your answer ! That's what I was thinking (no support for that).

I'm working with IOT device which need to send data and retrieve their config on the Realtime Database.
My flow is pretty much the same as the one in this article, which I think is the only way to achieve that (?).
Maybe you have a better advice to auth IOT devices and being able to access Firestore and Realtime Database ?

Also last question, why do I have access to the Firestore using this methods and not to the Realtime Database ? (it does not makes sense for me)

tokenSource := config.TokenSource(context.Background(), cpeToken)
option := option.WithTokenSource(tokenSource)
FirestoreConn, err = firestore.NewClient(context.Background(), "project-name", option)

Thanks !




Hiranya Jayathilaka

unread,
Jan 6, 2022, 2:08:11 PM1/6/22
to fireba...@googlegroups.com
Firestore SDK uses grpc under the hood, and they are likely allowing both client and server auth contexts on the same API. The Admin RTDB API uses REST, and is designed to accept only a server auth context.

As for accessing RTDB/Firestore from IoT devices I think you have 2 options, both of which are somewhat sub-optimal:

1. Use a Cloud Function as the proxy, and use the ID token verification based authorization to verify clients (i.e. the flow outlined in my previous message).
2. Use the REST APIs to directly access RTDB from the IoT device as a client. I assume you only need to perform a small set of DB operations from the device. It shouldn't be that difficult to implement those operations as REST interactions.

Personally I'd go with option 2, and avoid having to set up a proxy service altogether.

Reply all
Reply to author
Forward
0 new messages