Firebase - NodeJS: Domain-Wide Delegation with OAuth2 for Google API

Question

Goal:

This Firebase Cloud Function should use Cloud APIs with domain-wide delegation so any user can update some G Suite Admin Panel user information when the Firebase DB changes.

Question:

Which package's method should I use to gain domian-wide delegation for my app.

firebase: firebase.auth.GoogleAuthProvider()
googleapis: google.auth.OAuth2
google-auth-library: new GoogleAuth()

Details:

I'm not connecting the dots regarding the Google Identity Platform, and I am stuck here at this step. How does a firebase-hosted nodejs app put together a web and access token for Google API requests?

Firebase projects use Google Cloud Platform projects, so

I have...

Added to the project a service account actor via API/Credentials in the GCP-Console
Checked the Enable G Suite Domain-wide Delegation box
Stored the private_key.JSON.
Authorized API Clients (in the G Suite Admin Panel) with the Service Account Client ID

Should I Use...

Firebase: Maybe look into the whitelisting area of Google OAuth2 settings, and/or work with the services.json I got from firebase.

Google API via googleapis: Even though I'm using firebase.auth.GoogleAuthProvider() to validate the user, maybe use google.auth.OAuth2 to get domain-wide delegation from GCP (like app or compute engine)

Google Auth via google-auth-library: Again, even though I'm using firebase.auth.GoogleAuthProvider() to validate the user, maybe use new GoogleAuth() to get domain-wide delegation from GCP (like app or compute engine)

Updates

I've learned:

Google's npm package googleapis is not for clients (browsers). I'm now trying to using it in Firebase Cloud Functions

Chadd Chadd · Accepted Answer · 2017-11-08T21:13:31

The answer is:

Use googleapis for service account authentication with JWT Service Tokens.

Example

The code below is deployed to Firebase Cloud Functions and the logs seem to indicate authentication is successful.

Firebase Functions Logs

3:56:35.101 PM authorize Function execution started
3:56:35.620 PM authorize Successfully connected!
3:56:35.668 PM authorize Function execution took 568 ms, finished with status code: 200

NodeJS Code

// Firebase Admin SDK
const functions = require('firebase-functions')
const admin = require('firebase-admin')
admin.initializeApp(functions.config().firebase)

// Google APIs
const googleapis = require('googleapis')
const drive = googleapis.drive('v3')
const gsuiteAdmin = googleapis.admin('directory_v1')

// Service Account Key - JSON
let privatekey = require("./privatekey.json")

let jwtClient = new googleapis.auth.JWT(
    privatekey.client_email,
    null,
    privatekey.private_key,
    ['https://www.googleapis.com/auth/drive',
        'https://www.googleapis.com/auth/admin.directory.user'])

// Firebase Cloud Functions - REST
exports.authorize = functions.https.onRequest((request, response) => {
    //authenticate request
    jwtClient.authorize(function (err, tokens) {
        if (err) {
            console.log(err)
            return
        } else {
            console.log("Successfully connected!")
        }
        response.send("Successfully connected!")
    })
})