英文:
Authenticate on Realtime Database using an IdToken using the Go Admin SDK
问题
在使用Go中的Firebase Admin SDK时,我遇到了一个问题,无法在实时数据库上进行身份验证。
以下是我如何启动数据库连接的代码:
option := option.WithTokenSource(tokenSource)
app, err := firebase.NewApp(context.Background(), &firebase.Config{
DatabaseURL: "https://databaseName.europe-west1.firebasedatabase.app/",
ProjectID: "projectId",
}, option)
client, err := app.Database(context.Background())
tokenSource是一个自定义的TokenSource,返回一个ReuseTokenSource。我重写了Token()方法以满足我的需求,即首先从自定义端点获取IdToken,然后在IdToken过期时从securetoken.googleapis.com端点刷新它。
但是,使用这种方法时,无论何时尝试访问我的实时数据库,都会出现以下错误:
http error status: 401; reason: Unauthorized request.
即使数据库的规则完全开放(read/write=true)。
使用的令牌也是正确的,因为我可以在HTTP请求中使用它,唯一的区别是我必须使用?auth=IDTOKEN而不是?access_token=TOKEN(参见这里)。
简而言之:我如何在Go Admin SDK中使用IdToken对服务进行实时数据库身份验证。(只是补充一下,我可以使用相同的方法和令牌对Firestore数据库进行身份验证)。
谢谢!
英文:
When using the Firebase Admin SDK in Go, I'm facing an issue where I can't authenticate on the Realtime Database.
Here's how I start the database connection:
option := option.WithTokenSource(tokenSource)
app, err := firebase.NewApp(context.Background(), &firebase.Config{
DatabaseURL: "https://databaseName.europe-west1.firebasedatabase.app/",
ProjectID: "projectId",
}, option)
client, err := app.Database(context.Background())
The tokenSource is a custom TokenSource that return a ReuseTokenSource. I've override the Token() method to fit my needs, which is: get an IdToken from a custom endpoint at first and then when the IdToken is expired, refresh it from the securetoken.googleapis.com endpoint.
But with this method, whenever I try to access my Realtime database, I get the following error:
http error status: 401; reason: Unauthorized request.
Even if the Rules for the Database are fully open (read/write=true).
The Token being used is correct too as I can use it in a HTTP request, the only tweak is that I have to use ?auth=IDTOKEN instead of ?access_token=TOKEN (see here)
TLDR: How can I use an IdToken inside the Go Admin SDK to authenticate the service to the Realtime Database. (Just adding that I can authenticate the service on the Firestore Database with the same method and token).
Thank you !
答案1
得分: 2
Admin SDK通过OAuth2与后端服务进行身份验证(通过传递带有OAuth2令牌的“Authorization”头)。因此,您必须使用生成OAuth2令牌的“TokenSource”。ID令牌通常仅用于客户端身份验证。以下是我过去使用过的示例:
// jsonKeyBytes包含来自服务帐号JSON文件的字节。
conf, err := google.JWTConfigFromJSON(jsonKeyBytes)
ts := conf.TokenSource(ctx)
firebase.NewApp(ctx, nil, option.WithTokenSource(ts))
然而,通常情况下,您可以直接使用服务帐号或Google应用程序默认凭据初始化Admin SDK,这样您就不必执行任何操作。
英文:
The Admin SDK authenticates with backend services via OAuth2 (by passing an Authorization header with an OAuth2 bearer token). So you must use a TokenSource that produces OAuth2 tokens. ID tokens are generally only used for client-side auth. Here's an example that I've used in the past:
// jsonKeyBytes contains the bytes from a service account json file.
conf, err := google.JWTConfigFromJSON(jsonKeyBytes)
ts := conf.TokenSource(ctx)
firebase.NewApp(ctx, nil, option.WithTokenSource(ts))
However, typically you would directly initialize the Admin SDK with a service account or Google Application Default Credentials, in which case you don't have to do any of this.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论