I'm trying to test my application that uses Firebase for push notifications using postman.
I'm specifically testing the Http v1 Api, and looking how to authorize the request.
What I need to get right is getting the OAuth2 token to use in Postman, which I should be able to do on the OAuth 2.0 playground although I'm not sure how.
I have my privatkey.json file that I've downloaded from the firebase console, I just need to know how to use it to get the token that I would add as a bearer authorization header for my POST requests
I was able to send a message through the FCM v1 HTTP API by requesting the following scopes in the OAuth2 playground:
email, https://www.googleapis.com/auth/firebase.messaging
After authorizing this, I exchanged the authorization code for refresh and access tokens.
I then passed the resulting access token into the call with FCM:
curl -X POST -H "Authorization: Bearer MY_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"message":{
"notification": {
"title": "FCM Message",
"body": "This is an FCM Message",
},
"token": "MY_DEVICE_TOKEN"
}
}' https://fcm.googleapis.com/v1/projects/MY_PROJECT_ID/messages:send
In the above CURL request replace the following placeholders with the relevant values for you:
MY_PROJECT_ID is the Firebase project ID, which you can get from the project settings page in the Firebase console
MY_DEVICE_TOKEN is the registration token of the device that you want to send the message to. For a web client, see how to get the current registration token.
MY_ACCESS_TOKEN is the OAuth2 access token that you got from the OAuth2 playground using the steps outlined above.
The FCM documentation on authenticating FCM v1 requests may be confusing since it only calls out the OAuth2 token. It actually first generates a self-signed JWT (JSON Web Token) by calling new google.auth.JWT(...). This involves downloading a private key, and generating the JWT locally through a JWT library.
The self-signed JWT is then passed to jwtClient.authorize(...), which gives back tokens including an access_token. The latter is an OAuth2 access token, similar to the one we got above.
I created a small project on hithub that includes both a postman collection and environment and nodejs project that uses the downloaded service-key.json to generate an access token which solves my problem above. It's not as elagent as using only postman (which to me seems impossible), but it works well enough since the access tokens live for about an hour.
Related
I'm trying to get info from google analitics from api but always get this error:
I've made OAuth2 and got token, but I don't know where to put it.
Can someone explain what have I done wrong?
The issue you are having is that the call has not bee authorized. To access private user data you need permission which means you need to send a properly authorized access token along with your request
This is sent as an Authorization header, something like this.
curl -X POST -H "Authorization: bearer xxxxxxxxxxxxxx" "https://analyticsreporting.googleapis.com/v4/reports:batchGet"
When I call API to get token, this message shows up and I don't know why and how to fix it 1
And this is my Authorization: OAuth oauth_consumer_key="V3R6bm******DznqE-ellA", oauth_nonce="bbo8dYK6anE6JZsEIhj2RmKuEwV0****", oauth_signature="UQH1OnFWEscFbyZIx4DRn9qSOW+nvIlzCEgXrjm***=", oauth_signature_method="HMAC-SHA256", oauth_timestamp="1654152360", oauth_version="1.0"
Please refer to the below Steps to use OAuth 2.0 tokens and follow the instructions:
Step 1: Register your application
If you don't already have a HERE account, see Get a HERE account.
Sign in to developer.here.com.
Click your name, select Projects, and then your project from the list. Your project details and available application credentials are then displayed.
Select REST or HERE SDKs and click Generate App. When your application is created, its App ID is displayed.
Click Create Credentials to generate a maximum of two access keys for your application. The access key is created and displayed in a pop-up window. Download and securely store the access key secret. Also download the credentials.properties file as instructed.
Step 2: Get a token
For instructions on getting a token, see Code an OAuth 2.0 token request.
Step 3: Use the token
You have now successfully obtained an access bearer token to use in making REST requests to HERE APIs.
Include the token in the HTTP Authorization header of your REST requests as a bearer token:
Authorization: Bearer <token>
Sample REST Request
GET /maptile/2.1/maptile/newest/normal.day/13/4400/2686/256/png8
Host: 1.base.maps.ls.hereapi.com
Authorization: Bearer eyJhbGceOyJSAMPLEiIsImN0eSISAMPLEt7VTFIllwIM0cKNCjN2WCCTqlwEEmk-t3gx1BpqUFoeBSAMPLEvhj8nl-RBGcyoljY...
Cache-Control: no-cache
Note: If you are upgrading to API key and currently have old app code credentials, you can remove them by clicking Remove APP CODE credentials and use your new API key credentials in their place.
For more details refer to the following documentation link: https://developer.here.com/documentation/identity-access-management/dev_guide/topics/dev-token.html
I have a scenario where I need to do a secure request a Firebase Cloud Function from an external server using a HTTP request. In order to request it I need to send a bearer JWT token on the authorization header. After sometime looking at the Google documents to Firebase/GCP I've found many different ways to authenticate using google different APIs, but I'm kinda lost on it.
I know that I need to use a service account in order to identify the machine that is calling instead a common human-user credentials. I also know that the service account provides a JSON file that contains secure information to identify that service account, like the private key. By looking different docs I found this one that explains how to generate and request a token. After following those steps, I'm facing a 403 status when I try to call the cloud function using the resulting token.
I doubled checked the roles my service account has and I do have the ones the docs have pointed me.
Does anyone knows or have any suggestions how to proceed to have cloud function authorized calls by a machine (not human) interaction.
Edit 1:
As requested here I'm posting my JWT generator code:
const {
private_key_id,
private_key,
client_email,
} = require('./serviceAccount.json');
const jwt = require('jsonwebtoken');
const payload = {
"kid": private_key_id,
"iss": client_email,
"sub": client_email,
"iat": 1611257400,
"exp": 1611260940,
"aud": "https://oauth2.googleapis.com/token",
"target_audience": "https://<project- region>.cloudfunctions.net/helloWorld"
};
const token = jwt.sign(payload, private_key, { algorithm: 'RS256', header: {"alg":"RS256","typ":"JWT"} });
console.log(token);
With the result token from above I'm sending a POST request to https://oauth2.googleapis.com/token where the token is sent as the assertion field on a form data.
After suggestions here I did some research and found this blog with instructions to generate a Identity token using my service account. So I ran:
# Load the service account identity
gcloud auth activate-service-account --key-file=key.json
# Generate an id token
gcloud auth print-identity-token
The resulting token gave me the same result a 403 - Forbidden error. The interesting part is that using my user credentials and using gcloud to generate an identity token I was able to request the Cloud function with a 200 result.
I'm thinking that I'm missing some sort of role/privilege/scope on my service account configuration.
Make sure that the service account has assigned the cloudfunctions.functions.invoke in order to guarantee that the Cloud Function can be triggered from an external server using an HTTP request.
I'm following the steps described in google doc: import_push_subscriptions and I'm getting the 401 error message when trying to import one VAPID registration via curl:
"Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project."
My request looks like this:
curl -X POST -H "Authorization:key=hidden-authorization-key"
-H "Content-Type:application/json"
-d #data.json https://iid.googleapis.com/v1/web/iid
And here is the data.json content
{"endpoint": "https://fcm.googleapis.com/fcm/send/hidden-endpoint-hash",
"keys": {
"auth": "hidden-auth",
"p256dh": "hidden-p256dh"}
}
Note: we used the same hidden-authorization-key when we were importing ios tokens via the batchImport endpoint described here: create_registration_tokens_for_apns_tokens which worked as expected but the webpush import asks for OAuth2 which is strange since we are sending the Authorization:key.
It seems that firebase team fixed it. I've just tried to send to firebase newly created VAPID registration and got the long token as a response.
I am currently trying to use the Google Identity Toolkit Token Service REST API (https://developers.google.com/identity/toolkit/reference/securetoken/rest/v1/token) to generate an access token which I can use in my backend server.
When I specifying "authorization_code" as "grant_type" and the gtoken cookie value after authentication as "code" in the POST request to https://securetoken.googleapis.com/v1/token, I get a 403 response with the following error message:
{
"error": {
"code": 403,
"message": "The request cannot be identified with a client project. Please pass a valid API key with the request.",
"status": "PERMISSION_DENIED"
}
}
I inspected the gtoken value via a JWT decoder and it looks to be correct in format. In particular I can see that aud is set to my application/client ID. The documentation doesn't say anything about specifying API key - usually I would expect that to be specified in the Authorization header. So I am not sure what I am missing here.
Any pointer to this matter would be appreciated.
An API key in the URL is required when calling Google Identity Toolkit APIs (including the Token Service API). However, I would suggest you take a look at the new version of the service - Firebase Authentication. The Firebase Auth SDK has build-in support of the Token Service API.