search

googleapis / python-firestore

Apache License 2.0
214 stars 73 forks source link

StatusCode.UNAUTHENTICATED with Custom Token #37

Closed yeldarby closed 1 year ago

yeldarby commented 4 years ago

Environment details

Steps to reproduce

Get a token minted with the firebase_admin and try to use it with python-firestore

I think it's possible this is not the right type of token to use with google.oauth2.Credentials (but I can't find anywhere in the docs how to operate the Python library in user mode with the generated token if this isn't it.)

Code example

Generate a token:

Code taken from here

uid = 'eTpNiR...'
custom_token = auth.create_custom_token(uid)
# Returns something like eyJhbGciOiJSUzI1NiIs...

Try to use it somewhere else

from google.cloud import firestore
from google.oauth2 import credentials

# from firebase_admin
uid = "eTpNiR..."
custom_token = "eyJhbGciOiJSUzI1NiIs..."

cred = credentials.Credentials(custom_token)
db = firestore.Client("your-project", cred)

user_ref = db.collection('users').document(uid)
user_data = user_ref.get()
if user_doc.exists:
        print(user_data.to_dict())

Stack trace

Traceback (most recent call last):
  File "/Users/yeldarb/anaconda/lib/python3.6/site-packages/google/api_core/grpc_helpers.py", line 57, in error_remapped_callable
    return callable_(*args, **kwargs)
  File "/Users/yeldarb/anaconda/lib/python3.6/site-packages/grpc/_channel.py", line 826, in __call__
    return _end_unary_response_blocking(state, call, False, None)
  File "/Users/yeldarb/anaconda/lib/python3.6/site-packages/grpc/_channel.py", line 729, in _end_unary_response_blocking
    raise _InactiveRpcError(state)
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
    status = StatusCode.UNAUTHENTICATED
    details = "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project."
    debug_error_string = "{"created":"@1588017433.213155000","description":"Error received from peer ipv4:216.58.192.170:443","file":"src/core/lib/surface/call.cc","file_line":1056,"grpc_message":"Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.","grpc_status":16}"
>

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "testFirestore.py", line 11, in <module>
    user_data = user_ref.get()
  File "/Users/yeldarb/anaconda/lib/python3.6/site-packages/google/cloud/firestore_v1/document.py", line 451, in get
    metadata=self._client._rpc_metadata,
  File "/Users/yeldarb/anaconda/lib/python3.6/site-packages/google/cloud/firestore_v1/gapic/firestore_client.py", line 335, in get_document
    request, retry=retry, timeout=timeout, metadata=metadata
  File "/Users/yeldarb/anaconda/lib/python3.6/site-packages/google/api_core/gapic_v1/method.py", line 143, in __call__
    return wrapped_func(*args, **kwargs)
  File "/Users/yeldarb/anaconda/lib/python3.6/site-packages/google/api_core/retry.py", line 286, in retry_wrapped_func
    on_error=on_error,
  File "/Users/yeldarb/anaconda/lib/python3.6/site-packages/google/api_core/retry.py", line 184, in retry_target
    return target()
  File "/Users/yeldarb/anaconda/lib/python3.6/site-packages/google/api_core/timeout.py", line 214, in func_with_timeout
    return func(*args, **kwargs)
  File "/Users/yeldarb/anaconda/lib/python3.6/site-packages/google/api_core/grpc_helpers.py", line 59, in error_remapped_callable
    six.raise_from(exceptions.from_grpc_error(exc), exc)
  File "<string>", line 3, in raise_from
google.api_core.exceptions.Unauthenticated: 401 Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
HemangChothani commented 4 years ago

@yeldarby I think you can't directly access REST APIs with a custom token. You need to sign in using the custom token, and obtain an ID token There are 2 ways to do this:

  1. Sign in from a Firebase Client SDK

  2. Use the Firebase Auth REST API

Then you can access the Firestore REST API with the resulting ID token:

https://firebase.google.com/docs/firestore/use-rest-api#working_with_firebase_id_tokens

HemangChothani commented 4 years ago

@yeldarby any update from your side?

yeldarby commented 4 years ago

We ended up using RTDB for the time being since Pyrebase liked these tokens.

I definitely still want to figure out if Firestore is an option for us though so I'll circle back later this week or early next to test what you recommended.

LeonardoRick commented 3 years ago

@HemangChothani Is there any library on python that connects the user to the firestore with this proper credentials? I can't find a library that doest that, which is easily made on front-end languages such as javacsript

meredithslota commented 1 year ago

For all Firebase libraries: https://firebase.google.com/docs/firestore/client/libraries For integrations: https://firebase.google.com/docs/firestore/library-integrations

If you are still having trouble with this after following Hemang's example, please file a new issue. Thanks!