firebase-arduino
firebase-arduino copied to clipboard
FirebaseExtended
Implement support for token based auth
Since Database secret are now being deprecated would it be possible to use new token generation. Can it be done on ESP8266 ? -> Database secrets are currently deprecated and use a legacy Firebase token generator. Update your source code with the Firebase Admin SDK.
You may find it here http://stackoverflow.com/questions/37418372/firebase-where-is-my-account-secret-in-the-new-console
However, please develop this feature as database secret support is deprecated
Hi, i have same issue. I can't use token to connect firebase database... Can i help me?
Have you any plans to implement Token based Auth ? The issue is open from Last 2.5 Months 👎
Sorry for the late follow-up
It seems that the REST API only support OAuth2.0 based auth, see https://firebase.google.com/docs/reference/rest/database/user-auth
In order to support it in the library we would need to:
- replace
?auth=with?access_token - embed
client_id,client_secretin the sketch - use a third-party tool (ex: oauth2playground) to initialily generate the
access_token/refresh_tokenpair - embed the
refresh_tokenin the sketch - implement the refresh logic in the library since
access_tokenexpire after 1 hour
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
client_id=...&
client_secret=...&
refresh_token=...&
grant_type=refresh_token
Will the new token based authentication be implemented in the future release?
Just found https://github.com/yutter/ArduinoJWT, which could make it easier implement Service account support directly on the ESP.
Can you please elaborate on how to use this? I'm new to this authorization thing and its very confusing. I'm afraid that once the database secrets are fully deprecated, my software won't work anymore, so I'd like to implement token authorization as soon as possible.
Hi there, new to the rep and have been playing around with the library but also running into this authentication issue. Trying to set up a home control system that allows different people in my house to control ESP-based switches, but want to use user-based auth to limit access only to a subset of the database (e.g. those switches they're authorized to access). Seems well documented on the firebase side but this library can't handle authentication beyond the deprecated database secret. Very willing to help out with the issue but not sure where to start. :/ Cheers David
@davido1992 thanks for reaching out, I think a proper solution for this would be to either use oauth2 end user credentials or a jwt service account.
Sadly it looks like Firebase Admin custom token don't really work with the REST API.
@proppy, can you elaborate on how to use OAuth 2.0 on esp? Is it doable with a 3rd party library or something? I intend to make an authentication with esp on firebase and create an user there, the same way I'd do with an iOS app or Android app. Thanks.
@beratuslu we would need to implement some refresh logic using the oauth2 endpoint: https://developers.google.com/identity/protocols/OAuth2InstalledApp#offline
Hi @beratuslu,
As described in https://github.com/firebase/firebase-arduino/issues/224#issuecomment-273981906 I think we should modify https://github.com/firebase/firebase-arduino/blob/master/src/Firebase.cpp#L91 to refresh the get a new refresh token when it expires.
Something like this could work:
http_->setReuseConnection(true);
http_->begin('www.googleapis.com', '/oauth2/v4/token');
http_->sendRequest('POST', 'client_id=...&client_secret=...&refresh_token=...&grant_type=refresh_token');
And then insert the new access token in the Authorization header or in the query string (if the former doesn't work).
@proppy Is the firebase-arduino library modified to use oauth2 instead and no secret key?
@proppy what if we generate access token from service accounts using a custom cloud function? they are free to use to certain amount. it is not ideal solution since you still need to authenticate yourself to the cloud function in some way (which could be a shared secret given as parameter), but that should be a choice of the user of this library.
@kotl I think we need something that the device can refresh.
Either by reusing the jwt Arduino integration from @gguuss Cloud IoT Core library or embededing end users credentials (refresh_token) on the device and implementing OAuth2 refresh: https://developers.google.com/identity/protocols/OAuth2InstalledApp#offline
I'd be in favor of the former as it allow to give device a dedicated identity (service account)
In order to support it in the library we would need to: -replace ?auth= with ?access_token -embed client_id, client_secret in the sketch -use a third-party tool (ex: oauth2playground) to initialily generate the access_token/refresh_token pair -embed the refresh_token in the sketch -implement the refresh logic in the library since access_token expire after 1 hour
I think the questions of creating Oauth tokens and using them should be kept separate. The suggested changes from @proppy would enable this project to use a provided token instead of a db secret.
How you get them does not matter for the implementation and can be determined at a later point.
Any news about it? It's a core feature, with the lack of it even the simplest integration between arduino and firebase would not be possible. I'm praying for the guys who knows/can implement this feature = ]
@proppy
I've started exploring how can we get there. Managed to get ID token and then authenticated REST request to RTDB, generated through NodeJS, but without using anything from Firebase Admin / Client SDK. This means that we just need to translate this code into Arduino C++ and use ArduinoJWT library and one https request to get idToken. This simulates generation of custom tokens on the server side and then using signInWithCustomToken on client side, but all done on the client instead. I still believe a better way would be to do this through a Cloud Function that accepts parameters like email/password for generating access token, but we can probably support both methods eventually since once you have id token, it works.
In this sample you will need to copy sample_data.js into data.js and provide appropriate fields. https://github.com/kotl/firebase-arduino/tree/AUTH/contrib/auth Run 'node auth_jwt.js > test.sh' and then 'sh test.sh' will retrieve data from RTDB.
Updated July 15: turns out, we don't need to create tokens if we decide to use only email/password auth. In a new sample I made: https://github.com/kotl/firebase-arduino/blob/AUTH/contrib/auth/auth_email.js A simple https request to identity toolkit is all you need to mint idToken.
@kotl
Hi, could you explain implementation of you method, where i should add this auth_email.js ? into the project or upload to Firebase ? Thanks in advance.
Edited: After googling more about firebase and cloud function, I agreed with @kotl that using signInWithCustomToken will be the best solution, as we can get away with forgotten password or stupid password. IMHO, the authentication can be done from app/service/web, like many said, it doesn't matter once have the first token, but can be done possibly with these steps:
- App in Mobile/pc connect to the device, authenticate the user.
- App get the initial token (via createCustomToken(id)) or pick it up from the file as part of sketch
- App save initial token (and maybe device id) and also to ESP if wasn't there
- Esp connects to firebase with the initial token (and maybe device id)
Does anyone know how to get this library to work with a initial token for now? Has been playing around with @proppy 's suggestion but don't seem to work.
