KB0015502: End of legacy Firebase Cloud Messaging (FCM) APIs - impact on DIGIPASS Gateway and Push Notification.


Summary

Google Firebase announced its plan to terminate the usage of legacy Firebase Cloud Messaging (FCM) APIs by June 20, 2024.
A result of this is that the authorization of server requests will change (https://firebase.google.com/docs/cloud-messaging/migrate-v1#update-authorization-of-send-requests ). 

If you are using OneSpan Authentication Server (OAS) with Push Notification and Mobile Security Suite (MSS) or Mobile Authenticator Studio (MAS), you may be impacted by this change.
The authorization of server requests must be changed from a server key string to OAuth 2.0 access token. In the case of OneSpan, the application is running on a non-Google server environment and thus we will need to use a service account JSON file from the Firebase project to do the authorization.  

If you are using OAS with Push Notification and Mobile Authenticator (MA) this has no impact for you.

 

Details

In an installation with OAS, push notification and MAS or MSS, it is the Digipass Gateway component of the setup that communicates with FCM.
Since Digipass Gateway 5.0 (delivered with OAS 3.17), we support both legacy (also called GCM or Server key string) and OAuth 2.0 (FCM) authorization methods.
If you are still using the legacy method, you will have to change to FCM before June 20th 2024

To determine if you are already using the FCM method, run the command 

admintool type dpgateway push-notification list

The android-legacy should not be configured, and the android-fcm should point to a JSON file containing your service account private key; as demonstrated in the screenshot below

 

Remark1: when you have both configured, android-legacy and android-fcm, android-fcm will be used
But still we advise to remove the android legacy entry, once you have started using the android-fcm method.

Remark2: At publishing time of this article; the oldest supported version of Digipass Gateway is version 5.4, shipped with OAS 3.21
Please check  https://www.onespan.com/support/security/product-life-cycle for details on supported versions.

 

Problem Solution

  1. Generate the JSON file 
         Generate a service account private key from your Firebase Project Settings -> Service Accounts -> Generate new private key. 
         
         After generating the new private key, you will be able to download the JSON for that private key. 

  2. Add the android-fcm value
         Use the command
         admintool type dpgateway push-notification android-fcm <account_file>
         where <account_file> is the path and file name of the Firebase service account key file (JSON).

  3. Remove the entry for android-legacy
         Edit the file C:\Program Files\OneSpan\Digipass Gateway\admintool.properties
         Delete the line com.onespan.dpgateway.pushnotification.android.projectKey=xxxxx

  4.  Restart the service to start using the new configuration

 

Remark: See also the Digipass Gateway Getting Started guide in Section 3.5.5 Configuring Push Notification Web Services

 

Security Status:  External

Document type: How To

Applies to:  OneSpan Authentication Server / Digipass gateway / Push Notification

Support Case Reference: CS00156346 /  OASL3S-1978 / TIDL3S-600