Ad

Sign In With OAuth2 Via Firebase Rest Api Getting Rejected

I'm trying to Sign in a user with OAuth2 via the firebase rest API, from google apps script. I'm using the apps-script-oauth2 library and have retrieved an access token with service.getAccessToken() (see getAccessToken docs).

However when I post to the auth endpoint with the following code:

    var oAuthService= getOAuthService();
    const createUserWithOAuthUrl = 'https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyAssertion?key=' + <API_KEY>
    const accessToken = oAuthService.getAccessToken()
    Logger.log(accessToken)
    const requestUri = 'https://script.google.com/macros/d/' + SCRIPT_ID + '/usercallback'
    const payload = JSON.stringify({"postBody": "access_token=" + accessToken + "&providerId=google.com","requestUri":requestUri,"returnIdpCredential":true,"returnSecureToken":true})
    Logger.log(payload)
    const result = UrlFetchApp.fetch(createUserWithOAuthUrl, {
        method: 'post',
        contentType: 'application/json',
        muteHttpExceptions: true,
//        headers: {
//          Authorization: 'Bearer ' + accessToken
//        },
        payload : payload
    });

I get this error:

"error": {
    "code": 400,
    "message": "INVALID_IDP_RESPONSE : Failed to fetch resource from https://www.googleapis.com/oauth2/v1/userinfo, http status: 401, http response: {\n  \"error\": {\n    \"code\": 401,\n    \"message\": \"Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.\",\n    \"status\": \"UNAUTHENTICATED\"\n  }\n}\n",

The OAuth process seems to go well as I go through the account selection/scopes review flow and get an authorized prompt.

I've followed the firebase rest auth api docs and it looks like the way I'm doing this is correct, so I'm confused why it's being rejected. Any thoughts? Is there some way I can test the validity of my access_token? I've console logged it and it certainly looks token like.

Ad

Answer

OK so I just figured it out, it had to do with scopes.

Basically during the firebase sign in with OAuth process an automated call to the https://www.googleapis.com/oauth2/v1/userinfo api is made. This requires the following scopes:

https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile

I suppose firebase wanted specific user details to add to the user account. Not sure why it complained about tokens instead of scopes, definitely threw me off there!

Ad
source: stackoverflow.com
Ad