I am trying to send a Firebase notification using the HTTP v1 api.
The process described in google's guide states, that I create a service-account-file.json
and later use that with the Google Auth Library, which does work.
However, I was wondering if there is a way to do this without using the library, via a POST/GET
request, the issue is, I can't find a way to avoid having to go through the google's oAuth-2.0 consent page (to get the authorization code to later exchange for an access and refresh token), mentioned here.
Is there another way just by using the content of the generated .json
file, just like the library does?
P.S I tried to dig in the library's calls without any luck
CodePudding user response:
I believe that you will want to use the JWT library to generate an access token for OAuth 2.0 as stated in the firebase document on Use credentials to mint access tokens. The reason that you would likely want to use the library to mint access tokens is that in order to Make an authorized API call, you would need to create and sign a JWT using an algorithm like RSA256 to generate the signature to send to the server. This ensures that the request that is being set for a set time duration is being created by your service account only and not by some arbitrary service otherwise.
To generate a JWT claim for a server side application, you would need to request (specifically for fcm) you would need to generate a JWT request that looks like this:
{
"iss": ${YOUR_SERVICE_ACCOUNT_ID},
"scope": "https://www.googleapis.com/auth/firebase.messaging",
"aud": "https://oauth2.googleapis.com/token",
"exp": 1328554385,
"iat": 1328550785
}
An explanation of the claims data structure can be found here.
You would then want to compute and encode the signature using a UTF-8 representation of the claim like this:
{Base64url encoded header}.{Base64url encoded claim set}
.
You then want to take that signature and make your request using it. The format would look like this:
{Base64url encoded header}.
{Base64url encoded claim set}.
{Base64url encoded signature}
and as an example from the site linked above, your specific request would look something like this:
{"alg":"RS256","typ":"JWT"}.
{
"iss": ${YOUR_SERVICE_ACCOUNT_ID},
"scope": "https://www.googleapis.com/auth/firebase.messaging",
"aud": "https://oauth2.googleapis.com/token",
"exp": 1328554385,
"iat": 1328550785
}.
[signature bytes]
You would then base64 encode this utf-8 string and send it along to https://oauth2.googleapis.com/token
to mint a token using POST parameters of grant_Type (urn:ietf:params:oauth:grant-type:jwt-bearer) and assertion (your base64 encoded JWT from above with the signature).
This is a lot of work to do by hand and you will need to know the RSA using SHA-256 hashing algorithm to generate this (as its the only currently supported signing library), so that is why I believe Google recommends using the library as it does all this for you without needing to reimplement RSA signing or importing other signing libraries. The OAuth library that you linked in your gist above is for user OAuth, not machine or service account OAuth which avoids the Click to Authorize
action. Service accounts, can't click to Authorize, so signing requests is a valid way to generate OAuth credentials without making long lived requests arbitrarily and ensuring valid requests. Sorry for the long winded response, but once I found the service account documentation, I got really interested :)