21

I'm having some issues doing an authenticated request to Firebase.

I have a token generated but when I send it to Firebase I always get an Unauthorized request. response when I send the access_token in the request. The strange part is that it works without the param.

I even tested with no access rules, but I get the same result.

When I send curl 'https://<PROJECTID>.firebaseio.com/events.json' I get the expect values back, but if I send curl 'https://<PROJECTID>.firebaseio.com/events.json?access_token=<TOKEN>' the answer is { "error" : "Unauthorized request." }

I've tried sending it in the header like curl -H "Authorization: Bearer <TOKEN>" https://<PROJECTID>.firebaseio.com/events.json but does not work either.

If I enforce some rules in the database the initial request with no token gives me { "error" : "Permission denied" } but I still get { "error" : "Unauthorized request." } if I send the token.

Any help would be much appreciated.

UPDATE

Managed to fix it. I was not getting the token properly. After checking this thread I noticed I was not sending https://www.googleapis.com/auth/userinfo.email in the scopes array when doing the request for the token. After adding it works fine.

UPDATE 2

As mentioned by Xin Meng this is pretty clear in the Firebase Authenticate REST Requests documentation as well.

Hash
  • 4,647
  • 5
  • 21
  • 39
adalberto
  • 213
  • 2
  • 9
  • I'm having similar issues with the AppEngine firebase database sample code. Looking at the Pyrebase python code it looks like the parameter should be ?auth= but that isn't working for me either. – Calvin Feb 17 '17 at 03:12
  • My issue was being caused by a call to `GoogleCredentials.get_application_default().create_scoped(_FIREBASE_SCOPES)`. I think this call adds authentication headers to http requests and it was doing it incorrectly. If you print the headers that curl is generating by default you might see something unwanted in there? – Calvin Feb 17 '17 at 05:18
  • @Calvin, `?auth=` works if I use the deprecated Firebase Secret. Will check the headers, though. Thanks. – adalberto Feb 17 '17 at 09:28
  • https://firebase.google.com/docs/database/rest/auth Official Document should be referenced for this issue. – Xin Meng Jan 09 '18 at 10:39
  • Could you please add your own answer as an answer and mark it as the accepted answer? Or, alternatively, mark the answer by @daniel-stenberg as the accepted answer? – EECOLOR Jun 10 '18 at 13:20

1 Answers1

0

This question is "self-answered", see bottom of question. This answer is here only here to make this question not get listed as "unanswered".

Daniel Stenberg
  • 54,736
  • 17
  • 146
  • 222