使用自定义令牌以管理员身份向FB DB发出REST请求 [英] Using Custom Tokens to make REST requests to FB DB as an admin
问题描述
PATCH
来更新Firebase数据库中的资源。 这些PATCH请求曾经由我们的服务器使用 admin
来声明基于此的声明: https://www.firebase.com/docs/rest/guide/user-auth.htm
对于新的DB,我生成了JWT标记(使用 ruby-jwt
),如下所示: p>
有效负载= {
aud:https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1。 IdentityToolkit,
声明:custom_claims.merge({admin:true}),
exp:now_seconds +(60 * 60),#最大过期时间为一小时
iat:now_seconds,
iss:service_account_email,
sub:service_account_email,
uid:uid
}
JWT.encode(payload,private_key,RS256)
$ b $使用此令牌向Firebase数据库发送请求失败:在auth头文件中缺少声明'kid'
PATCH >
这里是使用ruby googleauth模块的Michael Bleigh答案的等价物:
要求'googleauth'
范围= ['https://www.googleapis.com/auth/userinfo.email','https ://www.googleapis.com/auth/firebase.database']
auth = :: Google :: Auth.get_application_default(作用域)
auth_client = auth.dup
auth_client.sub = service-account-email-here@yourapp.iam.gserviceaccount.com
token = auth_client.fetch_access_token!
您还需要设置 GOOGLE_APPLICATION_CREDENTIALS
环境变量到您的服务帐户JSON文件的路径。在这个JSON文件中 auth_client.sub
的值来自 client_email
。
当然,如上所述,这仅在您控制的服务器应用程序中有效。另外,向firebase REST API发出请求仍然是读者的一个练习。
引用 / p>
- https://developers.google.com/api-client-library/ruby/auth/service-accounts#authorizingrequests
- https://developers.google.com/identity/protocols/application-default-credentials #whentouse
I'm migrating to the new database and 3.0 client libs. I'm updating the part which generates a custom auth token (on our server) to do a PATCH
to update a resource in the Firebase DB.
These PATCH requests used to be made by our server to Firebase using admin
claims based on this: https://www.firebase.com/docs/rest/guide/user-auth.htm
For the new DB, I'm generating the JWT token (using ruby-jwt
) like this:
payload = {
aud: "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
claims: custom_claims.merge({ admin: true }),
exp: now_seconds + (60 * 60), # Maximum expiration time is one hour
iat: now_seconds,
iss: service_account_email,
sub: service_account_email,
uid: uid
}
JWT.encode(payload, private_key, "RS256")
A PATCH
request with this token to the Firebase DB fails with: Missing claim 'kid' in auth header
.
Here is the equivalent of Michael Bleigh's answer using the ruby googleauth module:
require 'googleauth'
scopes = [ 'https://www.googleapis.com/auth/userinfo.email', 'https://www.googleapis.com/auth/firebase.database']
auth = ::Google::Auth.get_application_default(scopes)
auth_client = auth.dup
auth_client.sub = "service-account-email-here@yourapp.iam.gserviceaccount.com"
token = auth_client.fetch_access_token!
You will also need to set the GOOGLE_APPLICATION_CREDENTIALS
environment variable to the path of your service account JSON file. the value for auth_client.sub
comes from client_email
in this JSON file.
Of course, as above, this is only valid in a server application you control.
Also, making the request to the firebase REST API is still an exercise for the reader.
references
- https://developers.google.com/api-client-library/ruby/auth/service-accounts#authorizingrequests
- https://developers.google.com/identity/protocols/application-default-credentials#whentouse
这篇关于使用自定义令牌以管理员身份向FB DB发出REST请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!