在Go中验证Firebase实时数据库的服务帐户

Question

我正在尝试将新的Firebase实时数据库用于一个简单的日志记录应用程序。所有与数据库的交互将从我的服务器，所以我只需要一个帐户，可以读写任何东西。

据我所知(文档很糟糕--有大量文档，但它与自身矛盾，其中一半是用于“旧”Firebase的，而且通常使用的是一些您没有使用的随机语言)，我需要创建一个服务帐户，然后使用OAuth创建一个JWT令牌。幸运的是，Go有一些很好的内置库。这是我的代码：

const firebasePostUrl = "https://my-product-logging.firebaseio.com/tests.json"

// Obtained from the Google Cloud API Console
var firebaseServiceAccount map[string]string = map[string]string{
    "type":                        "service_account",
    "project_id":                  "my-product-logging",
    "private_key_id":              "1c35ac0c501617b8f1610113c492a5d3321f4318",
    "private_key":                 "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoblahblahhwWlteuRDrsxmRq+8\ncDGMKcXyDHl3nWdIrWqJcDw=\n-----END PRIVATE KEY-----\n",
    "client_email":                "log-user@my-product-logging.iam.gserviceaccount.com",
    "client_id":                   "101403085113430683797",
    "auth_uri":                    "https://accounts.google.com/o/oauth2/auth",
    "token_uri":                   "https://accounts.google.com/o/oauth2/token",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url":        "https://www.googleapis.com/robot/v1/metadata/x509/log-user%40my-product-logging.iam.gserviceaccount.com",
}

func firebaseClient() *http.Client {
    jwtConfig := jwt.Config{
        // Email is the OAuth client identifier used when communicating with
        // the configured OAuth provider.
        Email: firebaseServiceAccount["client_email"],

        // PrivateKey contains the contents of an RSA private key or the
        // contents of a PEM file that contains a private key. The provided
        // private key is used to sign JWT payloads.
        // PEM containers with a passphrase are not supported.
        // Use the following command to convert a PKCS 12 file into a PEM.
        //
        //    $ openssl pkcs12 -in key.p12 -out key.pem -nodes
        //
        PrivateKey: []byte(firebaseServiceAccount["private_key"]),

        // PrivateKeyID contains an optional hint indicating which key is being
        // used.
        PrivateKeyID: firebaseServiceAccount["private_key_id"],

        // Subject is the optional user to impersonate.
        Subject: "",

        // Scopes optionally specifies a list of requested permission scopes.
        Scopes: []string{
            "https://www.googleapis.com/auth/devstorage.readonly",
        },

        // TokenURL is the endpoint required to complete the 2-legged JWT flow.
        TokenURL: firebaseServiceAccount["token_uri"],

        // Expires optionally specifies how long the token is valid for.
        Expires: 0,
    }

    ctx := context.Background()
    return jwtConfig.Client(ctx)
}

func firebaseFunc() {

    authedClient := firebaseClient()

    msg := map[string]string{
        "hello": "there",
        "every": "one",
    }

    data, err := json.Marshal(msg)
    if err != nil {
        log.Fatal("JSON Marshall Error: ", err)
        continue
    }

    resp, err := authedClient.Post(firebasePostUrl, "application/json", bytes.NewReader(data))
    if err != nil {
        log.Fatal("Firebase Error: ", err)
        continue
    }

    log.Print("Firebase Response Code: ", resp.StatusCode)
}

问题是，我总是会遇到这样的错误：

{
  "error" : "invalid_scope",
  "error_description" : "https://www.googleapis.com/auth/devstorage.readonly is not a valid audience string."
}

我假设它是一个错误是invalid_scope，的类型，并且描述说它是一个无效的audience (我假设JWT aud参数)。

我应该使用什么作为我的作用域来允许我读/写Firebase数据库(使用默认的"auth != null"规则)？

编辑:我终于找到了答案这里：

https://www.googleapis.com/auth/firebase

然而，现在它给了我403的回复，当我实际做这篇文章时。

{
  "error" : "Permission denied."
}

Answer 1

呃，我找到了无文件的答案这里。目前，您还需要这个范围：

https://www.googleapis.com/auth/userinfo.email