0

I am building a Google Docs add-on.

I specifically need to access Firebase resources (eg. Firestore) as the user that is logged in to Google Docs and hence I need to have a Firebase ID token to access Firebase and not with "admin" access to Firebase using a service account, which most Firebase docs refer to when describing using a Google OAuth token directly.

In the add-on JS code I do this to get the current users OAuth token:

var authToken = ScriptApp.getOAuthToken();
console.log("Auth TOK:"+authToken);

as described in the docs for the sample code from Google. This seems to work and gives me something that looks like a valid token.

I then try to exchange that for a Firebase ID token, for now I'm just trying this using curl:

curl 'https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp?key=[API_KEY]' \
-H 'Content-Type: application/json' \
--data-binary '{"postBody":"id_token=[GOOGLE_ID_TOKEN]&providerId=[google.com]","requestUri":"[http://localhost]","returnIdpCredential":true,"returnSecureToken":true}'

the above is taken from the Firebase REST API documentation.

Its also basically the same as what is mentioned in another answer here and here.

BUT unfortunately it doesn't seem to work and I get an error response back:

{
  "error": {
    "code": 400,
    "message": "INVALID_IDP_RESPONSE : Invalid Idp Response: access_token audience is not for this project",
    "errors": [
      {
        "message": "INVALID_IDP_RESPONSE : Invalid Idp Response: access_token audience is not for this project",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

And in my Firebase project I have Google set as one of my sign-in providers.

As far as I know I have used the required scopes in my App Script appscript.json:

{
  "timeZone": "America/New_York",
  "dependencies": {
  },
  "exceptionLogging": "STACKDRIVER",
  "oauthScopes": ["profile", "email", "openid","https://www.googleapis.com/auth/firebase" ,"https://www.googleapis.com/auth/cloud-platform", "https://www.googleapis.com/auth/datastore", "https://www.googleapis.com/auth/documents.currentonly", "https://www.googleapis.com/auth/script.container.ui"],
  "runtimeVersion": "V8"
}

Would anyone have any idea of what I'm missing here? I guess there is something needed to tell Firebase to allow using Google OAuth tokens with my Firebase project?

Maks
  • 7,562
  • 6
  • 43
  • 65
  • Have you tried this [link](https://sites.google.com/site/scriptsexamples/new-connectors-to-google-services/firebase/tutorials/authenticate-via-oauth-2-access-token) and see if it works? – NightEye Apr 22 '22 at 04:28
  • The first three values of outhScopes doesn't look to be valid (ref. https://developers.google.com/identity/protocols/oauth2/scopes) – Rubén Apr 22 '22 at 04:51
  • 1
    @OctaviaSima thanks for the link, but that article is about using OAuth with Firebase for admin access, ie. with service accounts, where as I specifically need to be able to access Firebase as the logged in user accessing the Google Doc. I'll update my question to make that more clear. – Maks Apr 22 '22 at 05:36
  • @Rubén no turns out they are required, without those scopes I get: ``` { "error": { "code": 400, "message": "INVALID_IDP_RESPONSE : Failed to fetch resource from https://www.googleapis.com/oauth2/v1/userinfo, http status: 401, http response: {\n \"error\": {\n \"code\": 401,\n \"message\": \"Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.\",\n \"status\": \"UNAUTHENTICATED\"\n }\n}\n", ... ``` – Maks Apr 22 '22 at 06:04
  • 1
    It turns out that the error was due to the Google Doc Apps Script being in a **different** Google Cloud Project to the Firebase project. Once they are both in the same GCP it actually does work. I figured it out from seeing this answer: https://stackoverflow.com/a/63969462/85472 – Maks Apr 22 '22 at 06:05

0 Answers0