I have successfully verified the user ID Token on my node.js backend (as described here), and now I want to access the Google Spreadsheets API on behalf of that user, but I can't seem to find information about how to do it.
Thanks in advance for your time.
I'm currently working on a similar implementation and might be able to share some information from what I've learned. First, an overview of tokens used in Firebase you find here. What you need in order to access a Google API is an OAuth2 token. The standard token you obtain from the Firebase login, however, is a Firebase ID token, not an OAuth2 token.
There is an OAuth2 token involved when you use Sign In with Google on Firebase Auth but like mentioned by Frank van Puffelen and also in this StackOverflow answer, Firebase Authentication "does not manage OAuth tokens for users". And as far as I understand you just cannot get to the OAuth2 tokens within Firebase Auth.
EDIT: I just came across the last example in the docs for handling the Google sign in flow, where it says
Then, you can also retrieve the Google provider's OAuth token by calling getRedirectResult when your page loads
I did not try this as I use the Google Sign In library but it seems that it is now possible to retrieve the OAuth2 token also directly from a Google Sign In with the Firebase Auth library. This corresponds to client-side authorization as you do not obtain a refresh token here.
What you can do, however, is to use the "Sign In With Google" library. It separates between authentication (who someone is, like Google account) and authorization (granting access to data, like calling a Google API). For obtaining the token to call Google APIs you need to implement the authorization flow. Here you have two options:
A very helpful comparison of both authorization flows you find here. Which one you use is up to you. In any case, you end up with the access token you need in order to call a Google API on behalf of the user.
And now back to Firebase: Since you want to log your user also into Firebase, you can use the "manual" authentication with Firebase by passing the token you obtained from the Google Sign In library to signInWithCredential:
function handleCredentialResponse(response) {
// Build Firebase credential with the Google ID token.
const idToken = response.credential;
const credential = GoogleAuthProvider.credential(idToken);
// Sign in with credential from the Google user.
signInWithCredential(auth, credential).catch((error) => {
// Handle Errors here.
const errorCode = error.code;
const errorMessage = error.message;
// The email of the user's account used.
const email = error.email;
// The credential that was used.
const credential = GoogleAuthProvider.credentialFromError(error);
// ...
});
}
To access a Google Spreadsheet you need an OAuth token for a Google user.
An ID token from Firebase Authentication identifies a Firebase user.
The two token types are not the same and each have their own set of users. You can't use a Firebase ID token to allow that Firebase Authentication user to access a Google Spreadsheet (or any other API that requires a OAuth token).
To access the Google Spreadsheet as that user, you'll need to use their OAuth token, which is the same token you used when signing the user in to Firebase on the client.
