I am using my spreadsheet as an admin interface for my Firebase app, where I can authorize some user transactions on the app. The spreadsheet leverages Google apps script and cloud functions
I am able to send data back and forth on the spreadsheet and my backend and now, the next thing is to lock down access to the cloud functions HTTP URL to authorized users with admin attribute in custom claims set to true.
To do this, am hoping to send the user's OAuth token gotten from Google Apps Script API (ScriptApp.getOAuthToken()) as part of the request payload and use firebase rest API method https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp?key=[API_KEY] to get the user's id token and other credentials in other to verify and authorise the admin user and the transaction.
const credentials = {
postBody: `id_token=${token}&providerId=google.com`,
requestUri: oAuthCredentials.web.redirect_uris[0],
returnIdpCredential: false,
returnSecureToken: true
}
APIRequest(IdentityUrls.signInWithOAuth, {
headers: {
'Content-Type': "application/json"
},
method: 'POST',
body: JSON.stringify(credentials)
}, (error, res) => {
...// perform actions here
})
The problem is that I keep getting INVALID_IDP_RESPONSE: The supplied auth credential is malformed or has expired. I am not sure why it's so and would appreciate help
I finally figured it out. What I am doing now is send the OAuth token as described in the question to the backend and make a POST request to token info endpoint with a payload of access_token: OAuth token. This returns a response with user email, email_verified, expiry_date etc. Then using this user email, I can get the userRecord on the Firebase Admin SDK which exposes a customClaims attribute. Read more about the solution here