Firebase bearer token from OAuth2 playground
I'm trying to test my application that uses Firebase for push notifications using postman.
I'm specifically testing the Http v1 Api, and looking how to authorize the request.
What I need to get right is getting the OAuth2 token to use in Postman, which I should be able to do on the OAuth 2.0 playground although I'm not sure how.
I have my privatkey.json
file that I've downloaded from the firebase console, I just need to know how to use it to get the token that I would add as a bearer authorization header for my POST requests
firebase oauth-2.0 firebase-cloud-messaging
add a comment |
I'm trying to test my application that uses Firebase for push notifications using postman.
I'm specifically testing the Http v1 Api, and looking how to authorize the request.
What I need to get right is getting the OAuth2 token to use in Postman, which I should be able to do on the OAuth 2.0 playground although I'm not sure how.
I have my privatkey.json
file that I've downloaded from the firebase console, I just need to know how to use it to get the token that I would add as a bearer authorization header for my POST requests
firebase oauth-2.0 firebase-cloud-messaging
add a comment |
I'm trying to test my application that uses Firebase for push notifications using postman.
I'm specifically testing the Http v1 Api, and looking how to authorize the request.
What I need to get right is getting the OAuth2 token to use in Postman, which I should be able to do on the OAuth 2.0 playground although I'm not sure how.
I have my privatkey.json
file that I've downloaded from the firebase console, I just need to know how to use it to get the token that I would add as a bearer authorization header for my POST requests
firebase oauth-2.0 firebase-cloud-messaging
I'm trying to test my application that uses Firebase for push notifications using postman.
I'm specifically testing the Http v1 Api, and looking how to authorize the request.
What I need to get right is getting the OAuth2 token to use in Postman, which I should be able to do on the OAuth 2.0 playground although I'm not sure how.
I have my privatkey.json
file that I've downloaded from the firebase console, I just need to know how to use it to get the token that I would add as a bearer authorization header for my POST requests
firebase oauth-2.0 firebase-cloud-messaging
firebase oauth-2.0 firebase-cloud-messaging
edited Nov 20 '18 at 14:07
Frank van Puffelen
238k29382408
238k29382408
asked Nov 20 '18 at 13:08
Lawrence ColomboLawrence Colombo
255
255
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
I was able to send a message through the FCM v1 HTTP API by requesting the following scopes in the OAuth2 playground:
email, https://www.googleapis.com/auth/firebase.messaging
After authorizing this, I exchanged the authorization code for refresh and access tokens.
I then passed the resulting access token into the call with FCM:
curl -X POST -H "Authorization: Bearer MY_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"message":{
"notification": {
"title": "FCM Message",
"body": "This is an FCM Message",
},
"token": "MY_DEVICE_TOKEN"
}
}' https://fcm.googleapis.com/v1/projects/MY_PROJECT_ID/messages:send
In the above CURL request replace the following placeholders with the relevant values for you:
MY_PROJECT_ID
is the Firebase project ID, which you can get from the project settings page in the Firebase console
MY_DEVICE_TOKEN
is the registration token of the device that you want to send the message to. For a web client, see how to get the current registration token.
MY_ACCESS_TOKEN
is the OAuth2 access token that you got from the OAuth2 playground using the steps outlined above.
The FCM documentation on authenticating FCM v1 requests may be confusing since it only calls out the OAuth2 token. It actually first generates a self-signed JWT (JSON Web Token) by calling new google.auth.JWT(...)
. This involves downloading a private key, and generating the JWT locally through a JWT library.
The self-signed JWT is then passed to jwtClient.authorize(...)
, which gives back tokens including an access_token
. The latter is an OAuth2 access token, similar to the one we got above.
Does this mean that if someone were able to retrieve a registered Device ID, and my project ID, they could use the OAuth2 playground to circumvent the service-key.json file that would live in a production environment to send messages?
– Lawrence Colombo
Nov 22 '18 at 7:00
My expectation based on accessing other features, is that the above flow only works if you're a member of the Firebase project.
– Frank van Puffelen
Nov 22 '18 at 14:35
add a comment |
I created a small project on hithub that includes both a postman collection and environment and nodejs project that uses the downloaded service-key.json
to generate an access token which solves my problem above. It's not as elagent as using only postman (which to me seems impossible), but it works well enough since the access tokens live for about an hour.
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53393717%2ffirebase-bearer-token-from-oauth2-playground%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I was able to send a message through the FCM v1 HTTP API by requesting the following scopes in the OAuth2 playground:
email, https://www.googleapis.com/auth/firebase.messaging
After authorizing this, I exchanged the authorization code for refresh and access tokens.
I then passed the resulting access token into the call with FCM:
curl -X POST -H "Authorization: Bearer MY_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"message":{
"notification": {
"title": "FCM Message",
"body": "This is an FCM Message",
},
"token": "MY_DEVICE_TOKEN"
}
}' https://fcm.googleapis.com/v1/projects/MY_PROJECT_ID/messages:send
In the above CURL request replace the following placeholders with the relevant values for you:
MY_PROJECT_ID
is the Firebase project ID, which you can get from the project settings page in the Firebase console
MY_DEVICE_TOKEN
is the registration token of the device that you want to send the message to. For a web client, see how to get the current registration token.
MY_ACCESS_TOKEN
is the OAuth2 access token that you got from the OAuth2 playground using the steps outlined above.
The FCM documentation on authenticating FCM v1 requests may be confusing since it only calls out the OAuth2 token. It actually first generates a self-signed JWT (JSON Web Token) by calling new google.auth.JWT(...)
. This involves downloading a private key, and generating the JWT locally through a JWT library.
The self-signed JWT is then passed to jwtClient.authorize(...)
, which gives back tokens including an access_token
. The latter is an OAuth2 access token, similar to the one we got above.
Does this mean that if someone were able to retrieve a registered Device ID, and my project ID, they could use the OAuth2 playground to circumvent the service-key.json file that would live in a production environment to send messages?
– Lawrence Colombo
Nov 22 '18 at 7:00
My expectation based on accessing other features, is that the above flow only works if you're a member of the Firebase project.
– Frank van Puffelen
Nov 22 '18 at 14:35
add a comment |
I was able to send a message through the FCM v1 HTTP API by requesting the following scopes in the OAuth2 playground:
email, https://www.googleapis.com/auth/firebase.messaging
After authorizing this, I exchanged the authorization code for refresh and access tokens.
I then passed the resulting access token into the call with FCM:
curl -X POST -H "Authorization: Bearer MY_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"message":{
"notification": {
"title": "FCM Message",
"body": "This is an FCM Message",
},
"token": "MY_DEVICE_TOKEN"
}
}' https://fcm.googleapis.com/v1/projects/MY_PROJECT_ID/messages:send
In the above CURL request replace the following placeholders with the relevant values for you:
MY_PROJECT_ID
is the Firebase project ID, which you can get from the project settings page in the Firebase console
MY_DEVICE_TOKEN
is the registration token of the device that you want to send the message to. For a web client, see how to get the current registration token.
MY_ACCESS_TOKEN
is the OAuth2 access token that you got from the OAuth2 playground using the steps outlined above.
The FCM documentation on authenticating FCM v1 requests may be confusing since it only calls out the OAuth2 token. It actually first generates a self-signed JWT (JSON Web Token) by calling new google.auth.JWT(...)
. This involves downloading a private key, and generating the JWT locally through a JWT library.
The self-signed JWT is then passed to jwtClient.authorize(...)
, which gives back tokens including an access_token
. The latter is an OAuth2 access token, similar to the one we got above.
Does this mean that if someone were able to retrieve a registered Device ID, and my project ID, they could use the OAuth2 playground to circumvent the service-key.json file that would live in a production environment to send messages?
– Lawrence Colombo
Nov 22 '18 at 7:00
My expectation based on accessing other features, is that the above flow only works if you're a member of the Firebase project.
– Frank van Puffelen
Nov 22 '18 at 14:35
add a comment |
I was able to send a message through the FCM v1 HTTP API by requesting the following scopes in the OAuth2 playground:
email, https://www.googleapis.com/auth/firebase.messaging
After authorizing this, I exchanged the authorization code for refresh and access tokens.
I then passed the resulting access token into the call with FCM:
curl -X POST -H "Authorization: Bearer MY_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"message":{
"notification": {
"title": "FCM Message",
"body": "This is an FCM Message",
},
"token": "MY_DEVICE_TOKEN"
}
}' https://fcm.googleapis.com/v1/projects/MY_PROJECT_ID/messages:send
In the above CURL request replace the following placeholders with the relevant values for you:
MY_PROJECT_ID
is the Firebase project ID, which you can get from the project settings page in the Firebase console
MY_DEVICE_TOKEN
is the registration token of the device that you want to send the message to. For a web client, see how to get the current registration token.
MY_ACCESS_TOKEN
is the OAuth2 access token that you got from the OAuth2 playground using the steps outlined above.
The FCM documentation on authenticating FCM v1 requests may be confusing since it only calls out the OAuth2 token. It actually first generates a self-signed JWT (JSON Web Token) by calling new google.auth.JWT(...)
. This involves downloading a private key, and generating the JWT locally through a JWT library.
The self-signed JWT is then passed to jwtClient.authorize(...)
, which gives back tokens including an access_token
. The latter is an OAuth2 access token, similar to the one we got above.
I was able to send a message through the FCM v1 HTTP API by requesting the following scopes in the OAuth2 playground:
email, https://www.googleapis.com/auth/firebase.messaging
After authorizing this, I exchanged the authorization code for refresh and access tokens.
I then passed the resulting access token into the call with FCM:
curl -X POST -H "Authorization: Bearer MY_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"message":{
"notification": {
"title": "FCM Message",
"body": "This is an FCM Message",
},
"token": "MY_DEVICE_TOKEN"
}
}' https://fcm.googleapis.com/v1/projects/MY_PROJECT_ID/messages:send
In the above CURL request replace the following placeholders with the relevant values for you:
MY_PROJECT_ID
is the Firebase project ID, which you can get from the project settings page in the Firebase console
MY_DEVICE_TOKEN
is the registration token of the device that you want to send the message to. For a web client, see how to get the current registration token.
MY_ACCESS_TOKEN
is the OAuth2 access token that you got from the OAuth2 playground using the steps outlined above.
The FCM documentation on authenticating FCM v1 requests may be confusing since it only calls out the OAuth2 token. It actually first generates a self-signed JWT (JSON Web Token) by calling new google.auth.JWT(...)
. This involves downloading a private key, and generating the JWT locally through a JWT library.
The self-signed JWT is then passed to jwtClient.authorize(...)
, which gives back tokens including an access_token
. The latter is an OAuth2 access token, similar to the one we got above.
edited Nov 21 '18 at 20:31
answered Nov 21 '18 at 0:30
Frank van PuffelenFrank van Puffelen
238k29382408
238k29382408
Does this mean that if someone were able to retrieve a registered Device ID, and my project ID, they could use the OAuth2 playground to circumvent the service-key.json file that would live in a production environment to send messages?
– Lawrence Colombo
Nov 22 '18 at 7:00
My expectation based on accessing other features, is that the above flow only works if you're a member of the Firebase project.
– Frank van Puffelen
Nov 22 '18 at 14:35
add a comment |
Does this mean that if someone were able to retrieve a registered Device ID, and my project ID, they could use the OAuth2 playground to circumvent the service-key.json file that would live in a production environment to send messages?
– Lawrence Colombo
Nov 22 '18 at 7:00
My expectation based on accessing other features, is that the above flow only works if you're a member of the Firebase project.
– Frank van Puffelen
Nov 22 '18 at 14:35
Does this mean that if someone were able to retrieve a registered Device ID, and my project ID, they could use the OAuth2 playground to circumvent the service-key.json file that would live in a production environment to send messages?
– Lawrence Colombo
Nov 22 '18 at 7:00
Does this mean that if someone were able to retrieve a registered Device ID, and my project ID, they could use the OAuth2 playground to circumvent the service-key.json file that would live in a production environment to send messages?
– Lawrence Colombo
Nov 22 '18 at 7:00
My expectation based on accessing other features, is that the above flow only works if you're a member of the Firebase project.
– Frank van Puffelen
Nov 22 '18 at 14:35
My expectation based on accessing other features, is that the above flow only works if you're a member of the Firebase project.
– Frank van Puffelen
Nov 22 '18 at 14:35
add a comment |
I created a small project on hithub that includes both a postman collection and environment and nodejs project that uses the downloaded service-key.json
to generate an access token which solves my problem above. It's not as elagent as using only postman (which to me seems impossible), but it works well enough since the access tokens live for about an hour.
add a comment |
I created a small project on hithub that includes both a postman collection and environment and nodejs project that uses the downloaded service-key.json
to generate an access token which solves my problem above. It's not as elagent as using only postman (which to me seems impossible), but it works well enough since the access tokens live for about an hour.
add a comment |
I created a small project on hithub that includes both a postman collection and environment and nodejs project that uses the downloaded service-key.json
to generate an access token which solves my problem above. It's not as elagent as using only postman (which to me seems impossible), but it works well enough since the access tokens live for about an hour.
I created a small project on hithub that includes both a postman collection and environment and nodejs project that uses the downloaded service-key.json
to generate an access token which solves my problem above. It's not as elagent as using only postman (which to me seems impossible), but it works well enough since the access tokens live for about an hour.
answered Nov 22 '18 at 7:05
Lawrence ColomboLawrence Colombo
255
255
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53393717%2ffirebase-bearer-token-from-oauth2-playground%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown