2
votes

I'm trying to use the Firebase REST API by creating an anonymous user by calling:

https://www.googleapis.com/identitytoolkit/v3/relyingparty/signupNewUser?key=[API_KEY].

No problem there, response (modified it abit for secrecy):

{
 "kind": "identitytoolkit#SignupNewUserResponse",
 "idToken": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjM0NTBiMGJhOWUzMTcyMmUwOTBlZDIxMzViY2RiN2MxNzdhMzJmMjcifQ.eyJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vZmlzaGluYy1hcHAiLCJwcm92aWRlcl9pZCI6ImFub255bW91cyIsImL1ZCI6ImZpc2hpbmMtYXBwIiwiYXV0aF90aW1lIjoxNTAzMDQ1NjY4LCJ1c2VyX2lkIjoiQ2hKRUJ3Vk5HeVA0NmtEQzA3d1VKMUJ3Y3Q3MyIsInN1YiI6IkNoSkVCd1ZOR3lQNDZrRENwN3dVSjFCd2N0NzMiLCJpYXQiOjE1MDMwNDU2NjgsImV4cCI6MTUwMzA0OTI2OCwiZmlyZWJhc2UiOnsiaWRlbnRpdGllcyI6e30sInNpZ25faW5fcHJvdmlkZXIiOiJhbm9ueW1vdXMifX0.jdMuPVGvMT6qZoxynpGMqURqg9zrVbPl1kXxmbHoglGgi9u1HHwQft5hhKIS3QbS87-rr5BcEitCu5seHcDlWl3rzEx87fctHmY4z-vDqUUKIqjKHfB0q04SbzBKVUvuUg9O-ACWMDLWFZ54U4ALK7kFdlBti3600kqw_4-UGURa2jIPpOse9f8HIz_qGaO_5kptjO6v4drLhY6PPH_h1kO4p1DITWt6pfdn_E_tAqXZgsCK3iKhu4bYUc2DgiUfR7q3dfzravQyz2nrpDN6S3Z_NdzxiKRuyasPr7kpeqxGaAPCYX84P_GL6r-EEFCcVeouRukRvloRpoezOSkeRg",
 "refreshToken": "APRrRCIqIUK5BiJIjpIt-ZtSdvn6ybONtTccCPOzIWAxg9qsClqdR82vqYmb0TMS1xngpCvlbIzgTSDTycvSoSYgua1r-6RlAt83Z2jXKTAnGalAHQLsC_gpUeF7js9PWl8O8PP5KF64coel22pgysd39QwC2Z2yf6zJj7xoozF0eaLjmkyvzqs",
 "expiresIn": "3600",
 "localId": "ChJEBwVNGyP46kDC07wUJ1Bwct73"
}

I was under the impression that I've now got an "authed"/logged in user. And that I can read data from the Realtime DB by using the idToken (provided that the only rules are that the user is authed).

But this doesn't seems to be the case (receive "Unauthorized request.") , or am I missing something. After googling it seems that I need a custom backend to "convert" the idToken into an access token. Is that correct?

1
Couldn't you allow read w/o authentication? firebase.google.com/docs/database/security This would be the simplest way. - Thomas
I could, but I don't want anyone to access the DB at all times. Only anonymous users who got created, since they will only have write/read access to their own data. - Whyser

1 Answers

3
votes

Uhhh. It seems the documentation is a bit confusing, which says:

Supported by all request types. Authenticates this request to allow access to data protected by Firebase Realtime Database Rules. See the REST authentication documentation for details.

curl 'https://[PROJECT_ID].firebaseio/users/jack/name.json?access_token=CREDENTIAL'

But using the access_token parameter is wrong (in my case at least), in which I needed to use "auth" instead.

So this will work:

curl 'https://[PROJECT_ID].firebaseio/users/jack/name.json?auth=myIdTokenHere'