使用Go Admin SDK使用IdToken在实时数据库上进行身份验证

huangapple go评论75阅读模式
英文:

Authenticate on Realtime Database using an IdToken using the Go Admin SDK

问题

在使用Go中的Firebase Admin SDK时,我遇到了一个问题,无法在实时数据库上进行身份验证。

以下是我如何启动数据库连接的代码:

option := option.WithTokenSource(tokenSource)
app, err := firebase.NewApp(context.Background(), &firebase.Config{
	DatabaseURL: "https://databaseName.europe-west1.firebasedatabase.app/",
	ProjectID:   "projectId",
}, option)
client, err := app.Database(context.Background())

tokenSource是一个自定义的TokenSource,返回一个ReuseTokenSource。我重写了Token()方法以满足我的需求,即首先从自定义端点获取IdToken,然后在IdToken过期时从securetoken.googleapis.com端点刷新它。

但是,使用这种方法时,无论何时尝试访问我的实时数据库,都会出现以下错误:

http error status: 401; reason: Unauthorized request.

即使数据库的规则完全开放(read/write=true)。

使用的令牌也是正确的,因为我可以在HTTP请求中使用它,唯一的区别是我必须使用?auth=IDTOKEN而不是?access_token=TOKEN(参见这里)。

简而言之:我如何在Go Admin SDK中使用IdToken对服务进行实时数据库身份验证。(只是补充一下,我可以使用相同的方法和令牌对Firestore数据库进行身份验证)。

谢谢!

英文:

When using the Firebase Admin SDK in Go, I'm facing an issue where I can't authenticate on the Realtime Database.

Here's how I start the database connection:

option := option.WithTokenSource(tokenSource)
app, err := firebase.NewApp(context.Background(), &firebase.Config{
	DatabaseURL: "https://databaseName.europe-west1.firebasedatabase.app/",
	ProjectID:   "projectId",
}, option)
client, err := app.Database(context.Background())

The tokenSource is a custom TokenSource that return a ReuseTokenSource. I've override the Token() method to fit my needs, which is: get an IdToken from a custom endpoint at first and then when the IdToken is expired, refresh it from the securetoken.googleapis.com endpoint.

But with this method, whenever I try to access my Realtime database, I get the following error:

http error status: 401; reason: Unauthorized request.

Even if the Rules for the Database are fully open (read/write=true).

The Token being used is correct too as I can use it in a HTTP request, the only tweak is that I have to use ?auth=IDTOKEN instead of ?access_token=TOKEN (see here)

TLDR: How can I use an IdToken inside the Go Admin SDK to authenticate the service to the Realtime Database. (Just adding that I can authenticate the service on the Firestore Database with the same method and token).

Thank you !

答案1

得分: 2

Admin SDK通过OAuth2与后端服务进行身份验证(通过传递带有OAuth2令牌的“Authorization”头)。因此,您必须使用生成OAuth2令牌的“TokenSource”。ID令牌通常仅用于客户端身份验证。以下是我过去使用过的示例:

// jsonKeyBytes包含来自服务帐号JSON文件的字节。
conf, err := google.JWTConfigFromJSON(jsonKeyBytes)

ts := conf.TokenSource(ctx)
firebase.NewApp(ctx, nil, option.WithTokenSource(ts))

然而,通常情况下,您可以直接使用服务帐号或Google应用程序默认凭据初始化Admin SDK,这样您就不必执行任何操作。

英文:

The Admin SDK authenticates with backend services via OAuth2 (by passing an Authorization header with an OAuth2 bearer token). So you must use a TokenSource that produces OAuth2 tokens. ID tokens are generally only used for client-side auth. Here's an example that I've used in the past:

// jsonKeyBytes contains the bytes from a service account json file.
conf, err := google.JWTConfigFromJSON(jsonKeyBytes)

ts := conf.TokenSource(ctx)
firebase.NewApp(ctx, nil, option.WithTokenSource(ts))

However, typically you would directly initialize the Admin SDK with a service account or Google Application Default Credentials, in which case you don't have to do any of this.

huangapple
  • 本文由 发表于 2022年1月6日 00:47:37
  • 转载请务必保留本文链接:https://go.coder-hub.com/70596538.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定