Can't access FireBase Database via HTTP/REST error 403 Forbidden

Question

Swift + Vapor framework for server + Xcode 8.1

I am trying to read Firebase Realtime Database making HTTP requests to my DB, but I get permission denied.

These are the steps:
1. create JWT sign it with secret key downloaded from "console.developers.google.com"
2. send POST request to OAuth2 server and get access token
3. send GET request to firebase database with access token received from OAuth2 server.

I get "Permission denied", HTTP/1.1 403 Forbidden

// the header of the JSON Web Token (first part of the JWT)
let headerJWT = ["alg":"RS256","typ":"JWT"]

// the claim set of the JSON Web Token
let jwtClaimSet =
  ["iss":"firebase-adminsdk-kxx5h@fir-30c9e.iam.gserviceaccount.com",
 "scope":"https://www.googleapis.com/auth/firebase.database", //is this the correct API to access firebase database?
 "aud":"https://www.googleapis.com/oauth2/v4/token",
 "exp": expDate,
 "iat": iatDate]


drop.get("access") { request in
var accesstoken = "ya29.ElqhA-....XXXX"

 let responseFirebase = try drop.client.get("https://fir- 30c9e.firebaseio.com/data/Users.json",
  headers: ["Authorization":"Bearer \(accesstoken)"], 
     query: [:])

print("FirebaseResponse_is \(responseFirebase)")
return "success"
}

@frank van puffelen Could you please shed your opinion as to why I can't get access to my Firebase Database? — bibscy, Nov 27 '16 at 15:55

score 7 · Answer 1 · answered Nov 26 '16 at 19:30

7

TLDR; Try placing auth=<TOKEN> in your query string instead of using the authorization header.

The Firebase documentation is unclear on how this works. According to the documentation, there are three methods that should work.

auth=<TOKEN> in query string (link)
access_token=<TOKEN> in query string (link)
Authorization: Bearer <TOKEN> in request header (link)

I'm not convinced that all three methods do actually work however. I'm using method 1 in my application, so I know that one works for sure.

answered Nov 26 '16 at 19:30

nloewen

1,279
11
18

If I do `headers: [:], query: ["auth":"ya29.E...XXXX"])` I get 400 Bad Request. If I do `headers: [:], query: ["access_token":"ya29.ElqiA"])` I get 403 Forbidden. If I do `headers: ["Authorization":"Bearer \(accesstoken)"], query: [:])` , I get 403 Forbidden – bibscy Nov 26 '16 at 19:55
I also tried `curl https://fir-30c9e.firebaseio.com/data/Users.json?access_token=ya29.ElqiAz4TSV-FXkKpXOE636vk__pWx8y5pqZ5QYW.....and so on` and I get "error" : "Permission denied." – bibscy Nov 26 '16 at 20:05
I'm not sure then. If curl doesn't even work, perhaps your token is invalid? If you are using a hardcoded accesstoken, it may be expired. – nloewen Nov 28 '16 at 17:14
the `scope` key was missing value `https://www.googleapis.com/auth/userinfo.email` – bibscy Nov 29 '16 at 17:31
Yeah method 1 is the only one that works for me. I finally found where the auth= query parameter is documented: https://firebase.google.com/docs/database/rest/retrieve-data – Ben Ogorek May 14 '17 at 17:40
1

`auth` was the only one of the three methods that worked for me, too. Very confusing documentation from firebase. – AlexZ May 31 '17 at 20:58

bibscy · Accepted Answer · 2016-11-27T17:18:16.693

The scope key was missing value https://www.googleapis.com/auth/userinfo.email

 let jwtClaimSet =
   ["iss":"firebase-adminsdk-kxx5h@fir-30c9e.iam.gserviceaccount.com",
 "scope": "https://www.googleapis.com/auth/firebase.database  
 https://www.googleapis.com/auth/userinfo.email", 
 "aud":"https://www.googleapis.com/oauth2/v4/token",
 "exp": expDate,
 "iat": iatDate]

I found the answer browsing google groups here

score 0 · Answer 3 · answered Nov 25 '16 at 17:50

0

headers: ["Authorization":"Authorization: Bearer \(accesstoken)"],

should be

headers: ["Authorization":"Bearer \(accesstoken)"],

answered Nov 25 '16 at 17:50

Nikola.Lukovic

1,256
1
16
33

can you try unwrapping accesstoken? `headers: ["Authorization":"Bearer \(accesstoken!)"], also print out your headers and post how it looks like – Nikola.Lukovic Nov 25 '16 at 17:53
I cannot force unwrap `accesstoken` because it's not an optional. FirebaseResponse_is Response `- HTTP/1.1 403 Forbidden - Headers: Connection: keep-alive Cache-Control: no-cache Server: nginx Date: Fri, 25 Nov 2016 17:55:00 GMT Content-Type: application/json; charset=utf-8 Content-Length: 37 Strict-Transport-Security: max-age=31556926; includeSubDomains; preload Access-Control-Allow-Origin: * - Body: { "error" : "Permission denied." }` – bibscy Nov 25 '16 at 17:56

Can't access FireBase Database via HTTP/REST error 403 Forbidden

3 Answers3

Linked