Firebase bearer token from OAuth2 playground












0















I'm trying to test my application that uses Firebase for push notifications using postman.



I'm specifically testing the Http v1 Api, and looking how to authorize the request.



What I need to get right is getting the OAuth2 token to use in Postman, which I should be able to do on the OAuth 2.0 playground although I'm not sure how.



I have my privatkey.json file that I've downloaded from the firebase console, I just need to know how to use it to get the token that I would add as a bearer authorization header for my POST requests










share|improve this question





























    0















    I'm trying to test my application that uses Firebase for push notifications using postman.



    I'm specifically testing the Http v1 Api, and looking how to authorize the request.



    What I need to get right is getting the OAuth2 token to use in Postman, which I should be able to do on the OAuth 2.0 playground although I'm not sure how.



    I have my privatkey.json file that I've downloaded from the firebase console, I just need to know how to use it to get the token that I would add as a bearer authorization header for my POST requests










    share|improve this question



























      0












      0








      0


      1






      I'm trying to test my application that uses Firebase for push notifications using postman.



      I'm specifically testing the Http v1 Api, and looking how to authorize the request.



      What I need to get right is getting the OAuth2 token to use in Postman, which I should be able to do on the OAuth 2.0 playground although I'm not sure how.



      I have my privatkey.json file that I've downloaded from the firebase console, I just need to know how to use it to get the token that I would add as a bearer authorization header for my POST requests










      share|improve this question
















      I'm trying to test my application that uses Firebase for push notifications using postman.



      I'm specifically testing the Http v1 Api, and looking how to authorize the request.



      What I need to get right is getting the OAuth2 token to use in Postman, which I should be able to do on the OAuth 2.0 playground although I'm not sure how.



      I have my privatkey.json file that I've downloaded from the firebase console, I just need to know how to use it to get the token that I would add as a bearer authorization header for my POST requests







      firebase oauth-2.0 firebase-cloud-messaging






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 20 '18 at 14:07









      Frank van Puffelen

      238k29382408




      238k29382408










      asked Nov 20 '18 at 13:08









      Lawrence ColomboLawrence Colombo

      255




      255
























          2 Answers
          2






          active

          oldest

          votes


















          3














          I was able to send a message through the FCM v1 HTTP API by requesting the following scopes in the OAuth2 playground:



          email, https://www.googleapis.com/auth/firebase.messaging


          Specifying scopes in OAuth2 platground



          After authorizing this, I exchanged the authorization code for refresh and access tokens.



          Exchanging authorization code for tokens



          I then passed the resulting access token into the call with FCM:



          curl -X POST -H "Authorization: Bearer MY_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"message":{
          "notification": {
          "title": "FCM Message",
          "body": "This is an FCM Message",
          },
          "token": "MY_DEVICE_TOKEN"
          }
          }' https://fcm.googleapis.com/v1/projects/MY_PROJECT_ID/messages:send


          In the above CURL request replace the following placeholders with the relevant values for you:





          • MY_PROJECT_ID is the Firebase project ID, which you can get from the project settings page in the Firebase console


          • MY_DEVICE_TOKEN is the registration token of the device that you want to send the message to. For a web client, see how to get the current registration token.


          • MY_ACCESS_TOKEN is the OAuth2 access token that you got from the OAuth2 playground using the steps outlined above.




          The FCM documentation on authenticating FCM v1 requests may be confusing since it only calls out the OAuth2 token. It actually first generates a self-signed JWT (JSON Web Token) by calling new google.auth.JWT(...). This involves downloading a private key, and generating the JWT locally through a JWT library.



          The self-signed JWT is then passed to jwtClient.authorize(...), which gives back tokens including an access_token. The latter is an OAuth2 access token, similar to the one we got above.






          share|improve this answer


























          • Does this mean that if someone were able to retrieve a registered Device ID, and my project ID, they could use the OAuth2 playground to circumvent the service-key.json file that would live in a production environment to send messages?

            – Lawrence Colombo
            Nov 22 '18 at 7:00













          • My expectation based on accessing other features, is that the above flow only works if you're a member of the Firebase project.

            – Frank van Puffelen
            Nov 22 '18 at 14:35



















          1














          I created a small project on hithub that includes both a postman collection and environment and nodejs project that uses the downloaded service-key.json to generate an access token which solves my problem above. It's not as elagent as using only postman (which to me seems impossible), but it works well enough since the access tokens live for about an hour.






          share|improve this answer























            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53393717%2ffirebase-bearer-token-from-oauth2-playground%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            3














            I was able to send a message through the FCM v1 HTTP API by requesting the following scopes in the OAuth2 playground:



            email, https://www.googleapis.com/auth/firebase.messaging


            Specifying scopes in OAuth2 platground



            After authorizing this, I exchanged the authorization code for refresh and access tokens.



            Exchanging authorization code for tokens



            I then passed the resulting access token into the call with FCM:



            curl -X POST -H "Authorization: Bearer MY_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"message":{
            "notification": {
            "title": "FCM Message",
            "body": "This is an FCM Message",
            },
            "token": "MY_DEVICE_TOKEN"
            }
            }' https://fcm.googleapis.com/v1/projects/MY_PROJECT_ID/messages:send


            In the above CURL request replace the following placeholders with the relevant values for you:





            • MY_PROJECT_ID is the Firebase project ID, which you can get from the project settings page in the Firebase console


            • MY_DEVICE_TOKEN is the registration token of the device that you want to send the message to. For a web client, see how to get the current registration token.


            • MY_ACCESS_TOKEN is the OAuth2 access token that you got from the OAuth2 playground using the steps outlined above.




            The FCM documentation on authenticating FCM v1 requests may be confusing since it only calls out the OAuth2 token. It actually first generates a self-signed JWT (JSON Web Token) by calling new google.auth.JWT(...). This involves downloading a private key, and generating the JWT locally through a JWT library.



            The self-signed JWT is then passed to jwtClient.authorize(...), which gives back tokens including an access_token. The latter is an OAuth2 access token, similar to the one we got above.






            share|improve this answer


























            • Does this mean that if someone were able to retrieve a registered Device ID, and my project ID, they could use the OAuth2 playground to circumvent the service-key.json file that would live in a production environment to send messages?

              – Lawrence Colombo
              Nov 22 '18 at 7:00













            • My expectation based on accessing other features, is that the above flow only works if you're a member of the Firebase project.

              – Frank van Puffelen
              Nov 22 '18 at 14:35
















            3














            I was able to send a message through the FCM v1 HTTP API by requesting the following scopes in the OAuth2 playground:



            email, https://www.googleapis.com/auth/firebase.messaging


            Specifying scopes in OAuth2 platground



            After authorizing this, I exchanged the authorization code for refresh and access tokens.



            Exchanging authorization code for tokens



            I then passed the resulting access token into the call with FCM:



            curl -X POST -H "Authorization: Bearer MY_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"message":{
            "notification": {
            "title": "FCM Message",
            "body": "This is an FCM Message",
            },
            "token": "MY_DEVICE_TOKEN"
            }
            }' https://fcm.googleapis.com/v1/projects/MY_PROJECT_ID/messages:send


            In the above CURL request replace the following placeholders with the relevant values for you:





            • MY_PROJECT_ID is the Firebase project ID, which you can get from the project settings page in the Firebase console


            • MY_DEVICE_TOKEN is the registration token of the device that you want to send the message to. For a web client, see how to get the current registration token.


            • MY_ACCESS_TOKEN is the OAuth2 access token that you got from the OAuth2 playground using the steps outlined above.




            The FCM documentation on authenticating FCM v1 requests may be confusing since it only calls out the OAuth2 token. It actually first generates a self-signed JWT (JSON Web Token) by calling new google.auth.JWT(...). This involves downloading a private key, and generating the JWT locally through a JWT library.



            The self-signed JWT is then passed to jwtClient.authorize(...), which gives back tokens including an access_token. The latter is an OAuth2 access token, similar to the one we got above.






            share|improve this answer


























            • Does this mean that if someone were able to retrieve a registered Device ID, and my project ID, they could use the OAuth2 playground to circumvent the service-key.json file that would live in a production environment to send messages?

              – Lawrence Colombo
              Nov 22 '18 at 7:00













            • My expectation based on accessing other features, is that the above flow only works if you're a member of the Firebase project.

              – Frank van Puffelen
              Nov 22 '18 at 14:35














            3












            3








            3







            I was able to send a message through the FCM v1 HTTP API by requesting the following scopes in the OAuth2 playground:



            email, https://www.googleapis.com/auth/firebase.messaging


            Specifying scopes in OAuth2 platground



            After authorizing this, I exchanged the authorization code for refresh and access tokens.



            Exchanging authorization code for tokens



            I then passed the resulting access token into the call with FCM:



            curl -X POST -H "Authorization: Bearer MY_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"message":{
            "notification": {
            "title": "FCM Message",
            "body": "This is an FCM Message",
            },
            "token": "MY_DEVICE_TOKEN"
            }
            }' https://fcm.googleapis.com/v1/projects/MY_PROJECT_ID/messages:send


            In the above CURL request replace the following placeholders with the relevant values for you:





            • MY_PROJECT_ID is the Firebase project ID, which you can get from the project settings page in the Firebase console


            • MY_DEVICE_TOKEN is the registration token of the device that you want to send the message to. For a web client, see how to get the current registration token.


            • MY_ACCESS_TOKEN is the OAuth2 access token that you got from the OAuth2 playground using the steps outlined above.




            The FCM documentation on authenticating FCM v1 requests may be confusing since it only calls out the OAuth2 token. It actually first generates a self-signed JWT (JSON Web Token) by calling new google.auth.JWT(...). This involves downloading a private key, and generating the JWT locally through a JWT library.



            The self-signed JWT is then passed to jwtClient.authorize(...), which gives back tokens including an access_token. The latter is an OAuth2 access token, similar to the one we got above.






            share|improve this answer















            I was able to send a message through the FCM v1 HTTP API by requesting the following scopes in the OAuth2 playground:



            email, https://www.googleapis.com/auth/firebase.messaging


            Specifying scopes in OAuth2 platground



            After authorizing this, I exchanged the authorization code for refresh and access tokens.



            Exchanging authorization code for tokens



            I then passed the resulting access token into the call with FCM:



            curl -X POST -H "Authorization: Bearer MY_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"message":{
            "notification": {
            "title": "FCM Message",
            "body": "This is an FCM Message",
            },
            "token": "MY_DEVICE_TOKEN"
            }
            }' https://fcm.googleapis.com/v1/projects/MY_PROJECT_ID/messages:send


            In the above CURL request replace the following placeholders with the relevant values for you:





            • MY_PROJECT_ID is the Firebase project ID, which you can get from the project settings page in the Firebase console


            • MY_DEVICE_TOKEN is the registration token of the device that you want to send the message to. For a web client, see how to get the current registration token.


            • MY_ACCESS_TOKEN is the OAuth2 access token that you got from the OAuth2 playground using the steps outlined above.




            The FCM documentation on authenticating FCM v1 requests may be confusing since it only calls out the OAuth2 token. It actually first generates a self-signed JWT (JSON Web Token) by calling new google.auth.JWT(...). This involves downloading a private key, and generating the JWT locally through a JWT library.



            The self-signed JWT is then passed to jwtClient.authorize(...), which gives back tokens including an access_token. The latter is an OAuth2 access token, similar to the one we got above.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Nov 21 '18 at 20:31

























            answered Nov 21 '18 at 0:30









            Frank van PuffelenFrank van Puffelen

            238k29382408




            238k29382408













            • Does this mean that if someone were able to retrieve a registered Device ID, and my project ID, they could use the OAuth2 playground to circumvent the service-key.json file that would live in a production environment to send messages?

              – Lawrence Colombo
              Nov 22 '18 at 7:00













            • My expectation based on accessing other features, is that the above flow only works if you're a member of the Firebase project.

              – Frank van Puffelen
              Nov 22 '18 at 14:35



















            • Does this mean that if someone were able to retrieve a registered Device ID, and my project ID, they could use the OAuth2 playground to circumvent the service-key.json file that would live in a production environment to send messages?

              – Lawrence Colombo
              Nov 22 '18 at 7:00













            • My expectation based on accessing other features, is that the above flow only works if you're a member of the Firebase project.

              – Frank van Puffelen
              Nov 22 '18 at 14:35

















            Does this mean that if someone were able to retrieve a registered Device ID, and my project ID, they could use the OAuth2 playground to circumvent the service-key.json file that would live in a production environment to send messages?

            – Lawrence Colombo
            Nov 22 '18 at 7:00







            Does this mean that if someone were able to retrieve a registered Device ID, and my project ID, they could use the OAuth2 playground to circumvent the service-key.json file that would live in a production environment to send messages?

            – Lawrence Colombo
            Nov 22 '18 at 7:00















            My expectation based on accessing other features, is that the above flow only works if you're a member of the Firebase project.

            – Frank van Puffelen
            Nov 22 '18 at 14:35





            My expectation based on accessing other features, is that the above flow only works if you're a member of the Firebase project.

            – Frank van Puffelen
            Nov 22 '18 at 14:35













            1














            I created a small project on hithub that includes both a postman collection and environment and nodejs project that uses the downloaded service-key.json to generate an access token which solves my problem above. It's not as elagent as using only postman (which to me seems impossible), but it works well enough since the access tokens live for about an hour.






            share|improve this answer




























              1














              I created a small project on hithub that includes both a postman collection and environment and nodejs project that uses the downloaded service-key.json to generate an access token which solves my problem above. It's not as elagent as using only postman (which to me seems impossible), but it works well enough since the access tokens live for about an hour.






              share|improve this answer


























                1












                1








                1







                I created a small project on hithub that includes both a postman collection and environment and nodejs project that uses the downloaded service-key.json to generate an access token which solves my problem above. It's not as elagent as using only postman (which to me seems impossible), but it works well enough since the access tokens live for about an hour.






                share|improve this answer













                I created a small project on hithub that includes both a postman collection and environment and nodejs project that uses the downloaded service-key.json to generate an access token which solves my problem above. It's not as elagent as using only postman (which to me seems impossible), but it works well enough since the access tokens live for about an hour.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 22 '18 at 7:05









                Lawrence ColomboLawrence Colombo

                255




                255






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53393717%2ffirebase-bearer-token-from-oauth2-playground%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    這個網誌中的熱門文章

                    Xamarin.form Move up view when keyboard appear

                    Post-Redirect-Get with Spring WebFlux and Thymeleaf

                    Anylogic : not able to use stopDelay()