Swift + Vapor framework for server + Xcode 8.1
I am trying to read Firebase Realtime Database making HTTP requests to my DB, but I get permission denied.
These are the steps:
1. create JWT sign it with secret key downloaded from "console.developers.google.com"
2. send POST request to OAuth2 server and get access token
3. send GET request to firebase database with access token received from OAuth2 server.
I get "Permission denied", HTTP/1.1 403 Forbidden
// the header of the JSON Web Token (first part of the JWT)
let headerJWT = ["alg":"RS256","typ":"JWT"]
// the claim set of the JSON Web Token
let jwtClaimSet =
["iss":"firebase-adminsdk-kxx5h#fir-30c9e.iam.gserviceaccount.com",
"scope":"https://www.googleapis.com/auth/firebase.database", //is this the correct API to access firebase database?
"aud":"https://www.googleapis.com/oauth2/v4/token",
"exp": expDate,
"iat": iatDate]
drop.get("access") { request in
var accesstoken = "ya29.ElqhA-....XXXX"
let responseFirebase = try drop.client.get("https://fir- 30c9e.firebaseio.com/data/Users.json",
headers: ["Authorization":"Bearer \(accesstoken)"],
query: [:])
print("FirebaseResponse_is \(responseFirebase)")
return "success"
}
TLDR; Try placing auth=<TOKEN> in your query string instead of using the authorization header.
The Firebase documentation is unclear on how this works. According to the documentation, there are three methods that should work.
auth=<TOKEN> in query string (link)
access_token=<TOKEN> in query string (link)
Authorization: Bearer <TOKEN> in request header (link)
I'm not convinced that all three methods do actually work however. I'm using method 1 in my application, so I know that one works for sure.
The scope key was missing value https://www.googleapis.com/auth/userinfo.email
let jwtClaimSet =
["iss":"firebase-adminsdk-kxx5h#fir-30c9e.iam.gserviceaccount.com",
"scope": "https://www.googleapis.com/auth/firebase.database
https://www.googleapis.com/auth/userinfo.email",
"aud":"https://www.googleapis.com/oauth2/v4/token",
"exp": expDate,
"iat": iatDate]
I found the answer browsing google groups here
headers: ["Authorization":"Authorization: Bearer \(accesstoken)"],
should be
headers: ["Authorization":"Bearer \(accesstoken)"],
Related
I have simple test callable function deployed via firebase deploy --only functions.
Here it's content:
export const test = region('europe-west1').https.onCall((data, context) => {
logger.debug('test call info', data, context);
return 'hello, world!';
});
I can successfully call it by doing HTTP call to https://europe-west1-{project}.cloudfunctions.net/test and recieve {"result": "hello, world!"}.
Now want to protect this function via IAM policies.
I create new service account and load it's credentials json.
I go to console and remove from allUsers a Cloud Functions Invoker role and add service account created in #1 with Cloud Functions Invoker role.
<--- Now I recieve 403 Forbidden when I try to call my test function, as expected
I create id-token with my service account at my PC
const auth = new GoogleAuth({keyFile: './key.json'});
targetAudience = new URL('https://europe-west1-{project}.cloudfunctions.net/test');
const client = await auth.getIdTokenClient(targetAudience as string);
const idToken = await client.idTokenProvider.fetchIdToken(targetAudience as string);
console.log(idToken);
I verify my token is correct and issued for the right service account via https://www.googleapis.com/oauth2/v3/tokeninfo?id_token={{id-token}}.
I call my endpoint with Authorization: Bearer {{id-token}} header.
I get 401 Unauthorized error with JSON telling me
{
"error": {
"message": "Unauthenticated",
"status": "UNAUTHENTICATED"
}
}
I'm in pain since after reading most of google cloud docs, SO (1, 2), etc. it seems that I do everything right but still get this error.
UPD1: providing additional info to #DazWilkin
1.
gcloud auth activate-service-account cloud-functions-invoker#{project-id}.iam.gserviceaccount.com --key-file="key.json"
Activated service account credentials for: [cloud-functions-invoker#{project-id}.iam.gserviceaccount.com]
gcloud projects get-iam-policy {project-id}
...
- members:
- serviceAccount:cloud-functions-admin#{project-id}.iam.gserviceaccount.com
- serviceAccount:cloud-functions-invoker#{project-id}.iam.gserviceaccount.com
role: roles/cloudfunctions.invoker
...
I copy this value gcloud auth print-identity-token | clip
Here is what I get after calling https://www.googleapis.com/oauth2/v3/tokeninfo?id_token={{id-token}}
{
"aud": "32555940559.apps.googleusercontent.com",
"azp": "cloud-functions-invoker#{project-id}.iam.gserviceaccount.com",
"email": "cloud-functions-invoker#{project-id}.iam.gserviceaccount.com",
"email_verified": "true",
"exp": "1629157648",
"iat": "1629154048",
"iss": "https://accounts.google.com",
"sub": "114693730231812960252",
"alg": "RS256",
"kid": "6ef4bd908591f697a8a9b893b03e6a77eb04e51f",
"typ": "JWT"
}
I make this curl (copied from postman). I've also tried same curl with command-line - got same result.
curl --location --request POST 'https://europe-west1-{project-id}.cloudfunctions.net/test' \
--header 'Authorization: Bearer
{token}
' \
--header 'Content-Type: application/json' \
--data-raw '{
"data": {
"goodbye": "world:("
}
}'
UPD2: new input
This behaviour is observed only with callable functions https.onCall(). If I use https.onRequest() things work fine but I'm still confused about onCall behaviour, since it seems that I implement protocol correctly (see my curl).
OMG!!!!!
TL;DR: callable functions are only for end users authenticated with firebase auth and can't be used with IAM tokens. Only way to use them is with roles/cloudfunctions.invoker assigned to allUsers.
The thing is... I was looking into callable functions protocol specification here: https://firebase.google.com/docs/functions/callable-reference.
It says:
The HTTP request to a callable trigger endpoint must be a POST with the following headers:
...
Optional: Authorization: Bearer
A Firebase Authentication user ID token for the logged-in user making the request. The backend automatically verifies this token and makes it available in the handler's context. If the token is not valid, the request is rejected.
I was thinking specification means that we shall pass our service account id-token here and I was trying to do so (such as with onRequest functions). BUT SUDDENLY, token is interpreted differently there. It's a user token which is obtained through firebase auth. And it's even stated in the documentation one level deeper (1, 2):
Warning: The ID token verification methods included in the Firebase Admin SDKs are meant to verify ID tokens that come from the client SDKs, not the custom tokens that you create with the Admin SDKs. See Auth tokens for more information.
Missing this warning costed me 3 days of pain.
Any ideas why this is. I have configured a Server Application and a Web API and an ID Token, Access Token & Refresh token is issued. However calling the userinfo endpoint return a 401 with the following header message:
WWW-Authenticate →Bearer error="invalid_token", error_description="MSIS9920: Received invalid UserInfo request. The access token in request is not valid."
The access token is valid according to http://jwt.io
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVVbEw5a1JocDJNLUVzTDlBRDJOQ055aHZtdyJ9.eyJhdWQiOiJ1cm46bWljcm9zb2Z0OnVzZXJpbmZvIiwiaXNzIjoiaHR0cDovL3Rlc3Rsb2dpbi51bm9wcy5vcmcvYWRmcy9zZXJ2aWNlcy90cnVzdCIsImlhdCI6MTQ4NjYyOTUxOSwiZXhwIjoxNDg2NjMzMTE5LCJhcHB0eXBlIjoiQ29uZmlkZW50aWFsIiwiYXBwaWQiOiJrbnVkIiwiYXV0aG1ldGhvZCI6InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0IiwiYXV0aF90aW1lIjoiMjAxNy0wMi0wOVQwODozMjo1Ny4xNDZaIiwidmVyIjoiMS4wIiwic2NwIjoib3BlbmlkIiwic3ViIjoiM2krUGlyRncwSVlkdDVzTVNKQlpKbjVOTXZVWXZVdyt2WHI2Ujd1N0dBZz0ifQ.ajKtSk0xQE1crJkIA-lMLBZj2DtYE6xQo-Stmevh4pOGX17GEePbAFP-g6qPUwtGT_whVj74wRpSlyTBscp2JDsp_CW2E6BsTUI810S6jYRVjkYGxL1QcL1KoKJ8wyYKcxsCeOY2IUKNPnJOxV53Rs8E9EvJgjcsjTJHQw5Z_zC43dsTfCZvVfGrwJ3nn6BGxhIE_bEXvrWdgmg49V7-KK2kVDbDwJGr1iLpqU88-bkHdjGCIuc8XKX5pobWWlcyBmR_dpACM6Tu-d8jYJ_8mbof-eZrqn8YS61rgvRAhAAONyDklWcPgiYnhcMQVHZoCME-rVTjI6LDDY2czhL0rg
This question is asked long time ago but let me share my experience.
if you want to execute ADFS 4.0 userInfo endpoint(win server 2016) in a hope to get User profile but what i experienced is it return only Sub attribute
ex:
{
"sub": "MpR57wSIQz1kiR2uUMrkCQadbgDoztWmMV863Dugdso="
}
for anyone to try UserInfo endpoint you need to modify your application group, add api with Identitfier https://adfs.example.com/adfs/userinfo & at Client permission tab tick openId.
for execution of userinfo
Ex:
curl -X GET \
https://adfs.example.com/adfs/userinfo \
-H 'Authorization: Bearer ACCESS_TOKEN
Note: In your Acquire Accesstoken code you need to pass your resource = urn:microsoft:userinfo
The ADFS userinfo endpoint always returns the subject claim as
specified in the OpenID standards. AD FS does not provide additional
claims requested via the UserInfo endpoint. If you need additional
claims in ID token, refer to Custom ID Tokens in AD FS.
I've only done this once so I don't have much suggestions to make yet. So I cant make any suggested unless there is more detail.
You should try and get more evidence from the AD FS side. Enable debug logs using
wevtutil sl "ad fs tracing/debug" /l:5 /e:true
Do the repro and then disable logs as follows.
wevtutil sl "ad fs tracing/debug" /e:false
Then export the logs to view using
wevtutil epl "ad fs tracing/debug" c:\temp\userinfoerr.evtx
Open that event log in event viewer and have look and see what other errors are reported around validating the JWT.
I have installed Laravel Passport per the documentation and I have modified all areas of my code that is required.
I am working on setting up Password Grant Tokens so that users will be able to get an API token when logging in with their username and password for the site. I am hitting an issue though when it comes to the grant_type.
For some reason Laravel is complaining about an invalid grant type.
{
"error": "unsupported_grant_type",
"message": "The authorization grant type is not supported by the authorization server.",
"hint": "Check the `grant_type` parameter"
}
These are the fields that I am posting to /oauth/token
client_id = 4
client_secret = SMiYE7XqDNtXKQnmkYmFnXxfAaV83vRhnJ9zwCtZ
username = jcrawford#domain.com
password = **************
grant_type = password
scope = *
I have run php artisan passport:install and I have also tried running php artisan passport:client --password
Both commands worked and both created the client and secrets, however, I cannot seem to get past the error about the grant_type.
Any suggestions on what I should look at to get this solved so that Password Grant Tokens will work for me?
It appears that you must send the parameters as form data and not in the headers like I was doing... Rookie Mistake!
I'm using Postman and I have put all parameters in Params. Postman shows the following response
{
"error": "unsupported_grant_type",
"message": "The authorization grant type is not supported by the authorization server.",
"hint": "Check the `grant_type` parameter"
}
Now I put all parameters in Body and then press the Send button, It's working well.
For me the problem was that i wasnt using Request $request, i was using RegisterRequest $request which i had created.
Initial URL
https://restfulapi.test/oauth/authorize?client_id=3&redirect_url=http://restfulapi.test?response_type=code
Solution
https://restfulapi.test/oauth/authorize?client_id=3&redirect_url=http://restfulapi.test&response_type=code
I had to replace the question mark before response_type with the &
Reading the Laravel documentation saved me a lot of stress. The oauth\token is used to retrieve token using the grant type specified, the route will return a JSON response containing access_token, refresh_token, and expires_in attributes. The expires_in attribute contains the number of seconds until the access token expires (ref) You are meant to
Install passport
Publish the service providers and migrations and migrate.
Setup a route for login/register to create an account and login.
In your User model, add HasApiTokens from use Laravel\Passport\HasApiTokens;
In your response in your login method, add the token as part of the response.
Test your response on postman
I'm trying to query a Firebase database from a Service Worker using the Fetch API. However it doesn't work as expected as I can't get authenticated correctly.
Basically what I'm trying to do is from origin https://myproject.firebaseapp.com inside a Service Worker I do a call like this :
var fetchOptions = {};
fetchOptions.credentials = 'include';
var url = options.messageUrl;
var request = new Request('https://myproject.firebaseio.com/user/foobar.json', fetchOptions);
messagePromise = fetch(request).then(function(response) {
return response.json();
});
I'm getting this error :
Fetch API cannot load https://myproject.firebaseio.com/user/foobar.json. Response to preflight request doesn't pass access control check: Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is ''. It must be 'true' to allow credentials. Origin 'https://myproject.firebaseapp.com' is therefore not allowed access.
Any idea of a way to fix it? How one should do to query/update the Firebase database from a SW?
I've read https://jakearchibald.com/2014/using-serviceworker-today/ and one of the gotcha was exactly that problem, the fact that Fetch request do not send authentification.
Ideally it would be great to be able to use the Firebase JS API inside a SW but this doesn't seem to work as well.
Firebase doesn't store authentication info as a cookie or in anything that would be sent along in the credentials, so there's no need to send them in your fetch request. Instead, you'll need to pull the token from Firebase Auth:
firebase.auth().currentUser.getToken(true).then(function(token) {
// token is the value you'll need to remember for later
});
Once you've got the token, you should be able to add it as a query parameter to the REST request e.g. ?auth={THE_TOKEN}. This will allow you to make your authenticated request in the Service Worker.
I am able to get an access token for my native application using POST to Azure AD via this method (from the official MS guide): https://msdn.microsoft.com/en-us/library/azure/dn645543.aspx
Per the example, if I send a request like this to the POST url:
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=[id]&client_secret=[secret]&resource=[resourceURI]
Then per the documentation, I only get the following fields (full JSON response below):
{
"token_type": "Bearer",
"expires_in": "3599",
"expires_on": "1428372149",
"not_before": "1428368249",
"resource": "http://myresource",
"access_token": "asdfghjkl"
}
What I want is a refresh token as well. Is there a way to alter the request to get one?