1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
|
<html><body>
<style>
body, h1, h2, h3, div, span, p, pre, a {
margin: 0;
padding: 0;
border: 0;
font-weight: inherit;
font-style: inherit;
font-size: 100%;
font-family: inherit;
vertical-align: baseline;
}
body {
font-size: 13px;
padding: 1em;
}
h1 {
font-size: 26px;
margin-bottom: 1em;
}
h2 {
font-size: 24px;
margin-bottom: 1em;
}
h3 {
font-size: 20px;
margin-bottom: 1em;
margin-top: 1em;
}
pre, code {
line-height: 1.5;
font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
}
pre {
margin-top: 0.5em;
}
h1, h2, h3, p {
font-family: Arial, sans serif;
}
h1, h2, h3 {
border-bottom: solid #CCC 1px;
}
.toc_element {
margin-top: 0.5em;
}
.firstline {
margin-left: 2 em;
}
.method {
margin-top: 1em;
border: solid 1px #CCC;
padding: 1em;
background: #EEE;
}
.details {
font-weight: bold;
font-size: 14px;
}
</style>
<h1><a href="identitytoolkit_v1.html">Identity Toolkit API</a> . <a href="identitytoolkit_v1.accounts.html">accounts</a></h1>
<h2>Instance Methods</h2>
<p class="toc_element">
<code><a href="#close">close()</a></code></p>
<p class="firstline">Close httplib2 connections.</p>
<p class="toc_element">
<code><a href="#createAuthUri">createAuthUri(body=None, x__xgafv=None)</a></code></p>
<p class="firstline">If an email identifier is specified, checks and returns if any user account is registered with the email. If there is a registered account, fetches all providers associated with the account's email. If the provider ID of an Identity Provider (IdP) is specified, creates an authorization URI for the IdP. The user can be directed to this URI to sign in with the IdP. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project.</p>
<p class="toc_element">
<code><a href="#delete">delete(body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Deletes a user's account.</p>
<p class="toc_element">
<code><a href="#issueSamlResponse">issueSamlResponse(body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Experimental</p>
<p class="toc_element">
<code><a href="#lookup">lookup(body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Gets account information for all matched accounts. For an end user request, retrieves the account of the end user. For an admin request with Google OAuth 2.0 credential, retrieves one or multiple account(s) with matching criteria.</p>
<p class="toc_element">
<code><a href="#resetPassword">resetPassword(body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Resets the password of an account either using an out-of-band code generated by sendOobCode or by specifying the email and password of the account to be modified. Can also check the purpose of an out-of-band code without consuming it.</p>
<p class="toc_element">
<code><a href="#sendOobCode">sendOobCode(body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Sends an out-of-band confirmation code for an account. Requests from a authenticated request can optionally return a link including the OOB code instead of sending it.</p>
<p class="toc_element">
<code><a href="#sendVerificationCode">sendVerificationCode(body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Sends a SMS verification code for phone number sign-in. To localize the text of the SMS sent to the user, set the HTTP header `X-Firebase-Locale` to the language code that corresponds with the user's locale. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project.</p>
<p class="toc_element">
<code><a href="#signInWithCustomToken">signInWithCustomToken(body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Signs in or signs up a user by exchanging a custom Auth token. Upon a successful sign-in or sign-up, a new Identity Platform ID token and refresh token are issued for the user. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project.</p>
<p class="toc_element">
<code><a href="#signInWithEmailLink">signInWithEmailLink(body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Signs in or signs up a user with a out-of-band code from an email link. If a user does not exist with the given email address, a user record will be created. If the sign-in succeeds, an Identity Platform ID and refresh token are issued for the authenticated user. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project.</p>
<p class="toc_element">
<code><a href="#signInWithGameCenter">signInWithGameCenter(body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Signs in or signs up a user with iOS Game Center credentials. If the sign-in succeeds, a new Identity Platform ID token and refresh token are issued for the authenticated user. The bundle ID is required in the request header as `x-ios-bundle-identifier`. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project. Apple has [deprecated the `playerID` field](https://developer.apple.com/documentation/gamekit/gkplayer/1521127-playerid/). The Apple platform Firebase SDK will use `gamePlayerID` and `teamPlayerID` from version 10.5.0 and onwards. Upgrading to SDK version 10.5.0 or later updates existing integrations that use `playerID` to instead use `gamePlayerID` and `teamPlayerID`. When making calls to `signInWithGameCenter`, you must include `playerID` along with the new fields `gamePlayerID` and `teamPlayerID` to successfully identify all existing users. Upgrading existing Game Center sign in integrations to SDK version 10.5.0 or later is irreversible.</p>
<p class="toc_element">
<code><a href="#signInWithIdp">signInWithIdp(body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Signs in or signs up a user using credentials from an Identity Provider (IdP). This is done by manually providing an IdP credential, or by providing the authorization response obtained via the authorization request from CreateAuthUri. If the sign-in succeeds, a new Identity Platform ID token and refresh token are issued for the authenticated user. A new Identity Platform user account will be created if the user has not previously signed in to the IdP with the same account. In addition, when the "One account per email address" setting is enabled, there should not be an existing Identity Platform user account with the same email address for a new user account to be created. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project.</p>
<p class="toc_element">
<code><a href="#signInWithPassword">signInWithPassword(body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Signs in a user with email and password. If the sign-in succeeds, a new Identity Platform ID token and refresh token are issued for the authenticated user. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project.</p>
<p class="toc_element">
<code><a href="#signInWithPhoneNumber">signInWithPhoneNumber(body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Completes a phone number authentication attempt. If a user already exists with the given phone number, an ID token is minted for that user. Otherwise, a new user is created and associated with the phone number. This method may also be used to link a phone number to an existing user. To localize the text of the SMS sent to the user, set the HTTP header `X-Firebase-Locale` to the language code that corresponds with the user's locale. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project.</p>
<p class="toc_element">
<code><a href="#signUp">signUp(body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Signs up a new email and password user or anonymous user, or upgrades an anonymous user to email and password. For an admin request with a Google OAuth 2.0 credential with the proper [permissions](https://cloud.google.com/identity-platform/docs/access-control), creates a new anonymous, email and password, or phone number user. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project.</p>
<p class="toc_element">
<code><a href="#update">update(body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Updates account-related information for the specified user by setting specific fields or applying action codes. Requests from administrators and end users are supported.</p>
<p class="toc_element">
<code><a href="#verifyIosClient">verifyIosClient(body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Verifies an iOS client is a real iOS device. If the request is valid, a receipt will be sent in the response and a secret will be sent via Apple Push Notification Service. The client should send both of them back to certain Identity Platform APIs in a later call (for example, /accounts:sendVerificationCode), in order to verify the client. The bundle ID is required in the request header as `x-ios-bundle-identifier`. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project.</p>
<h3>Method Details</h3>
<div class="method">
<code class="details" id="close">close()</code>
<pre>Close httplib2 connections.</pre>
</div>
<div class="method">
<code class="details" id="createAuthUri">createAuthUri(body=None, x__xgafv=None)</code>
<pre>If an email identifier is specified, checks and returns if any user account is registered with the email. If there is a registered account, fetches all providers associated with the account's email. If the provider ID of an Identity Provider (IdP) is specified, creates an authorization URI for the IdP. The user can be directed to this URI to sign in with the IdP. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project.
Args:
body: object, The request body.
The object takes the form of:
{ # Request message for CreateAuthUri.
"appId": "A String",
"authFlowType": "A String", # Used for the Google provider. The type of the authentication flow to be used. If present, this should be `CODE_FLOW` to specify the authorization code flow. Otherwise, the default ID Token flow will be used.
"context": "A String", # An opaque string used to maintain contextual information between the authentication request and the callback from the IdP.
"continueUri": "A String", # A valid URL for the IdP to redirect the user back to. The URL cannot contain fragments or the reserved `state` query parameter.
"customParameter": { # Additional customized query parameters to be added to the authorization URI. The following parameters are reserved and cannot be added: `client_id`, `response_type`, `scope`, `redirect_uri`, `state`. For the Microsoft provider, the Azure AD tenant to sign-in to can be specified in the `tenant` custom parameter.
"a_key": "A String",
},
"hostedDomain": "A String", # Used for the Google provider. The G Suite hosted domain of the user in order to restrict sign-in to users at that domain.
"identifier": "A String", # The email identifier of the user account to fetch associated providers for. At least one of the fields `identifier` and `provider_id` must be set. The length of the email address should be less than 256 characters and in the format of `name@domain.tld`. The email address should also match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec production.
"oauthConsumerKey": "A String",
"oauthScope": "A String", # Additional space-delimited OAuth 2.0 scopes specifying the scope of the authentication request with the IdP. Used for OAuth 2.0 IdPs. For the Google provider, the authorization code flow will be used if this field is set.
"openidRealm": "A String",
"otaApp": "A String",
"providerId": "A String", # The provider ID of the IdP for the user to sign in with. This should be a provider ID enabled for sign-in, which is either from the list of [default supported IdPs](https://cloud.google.com/identity-platform/docs/reference/rest/v2/defaultSupportedIdps/list), or of the format `oidc.*` or `saml.*`. Some examples are `google.com`, `facebook.com`, `oidc.testapp`, and `saml.testapp`. At least one of the fields `identifier` and `provider_id` must be set.
"sessionId": "A String", # A session ID that can be verified against in SignInWithIdp to prevent session fixation attacks. If absent, a random string will be generated and returned as the session ID.
"tenantId": "A String", # The ID of the Identity Platform tenant to create an authorization URI or lookup an email identifier for. If not set, the operation will be performed in the default Identity Platform instance in the project.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for CreateAuthUri.
"allProviders": [
"A String",
],
"authUri": "A String", # The authorization URI for the requested provider. Present only when a provider ID is set in the request.
"captchaRequired": True or False, # Whether a CAPTCHA is needed because there have been too many failed login attempts by the user. Present only when a registered email identifier is set in the request.
"forExistingProvider": True or False, # Whether the user has previously signed in with the provider ID in the request. Present only when a registered email identifier is set in the request.
"kind": "A String",
"providerId": "A String", # The provider ID from the request, if provided.
"registered": True or False, # Whether the email identifier represents an existing account. Present only when an email identifier is set in the request.
"sessionId": "A String", # The session ID from the request, or a random string generated by CreateAuthUri if absent. It is used to prevent session fixation attacks.
"signinMethods": [ # The list of sign-in methods that the user has previously used. Each element is one of `password`, `emailLink`, or the provider ID of an IdP. Present only when a registered email identifier is set in the request. If [email enumeration protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection) is enabled, this method returns an empty list.
"A String",
],
}</pre>
</div>
<div class="method">
<code class="details" id="delete">delete(body=None, x__xgafv=None)</code>
<pre>Deletes a user's account.
Args:
body: object, The request body.
The object takes the form of:
{ # Request message for DeleteAccount.
"delegatedProjectNumber": "A String",
"idToken": "A String", # The Identity Platform ID token of the account to delete. Require to be specified for requests from end users that lack Google OAuth 2.0 credential. Authenticated requests bearing a Google OAuth2 credential with proper permissions may pass local_id to specify the account to delete alternatively.
"localId": "A String", # The ID of user account to delete. Specifying this field requires a Google OAuth 2.0 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control). Requests from users lacking the credential should pass an ID token instead.
"targetProjectId": "A String", # The ID of the project which the account belongs to. Should only be specified in authenticated requests that specify local_id of an account.
"tenantId": "A String", # The ID of the tenant that the account belongs to, if applicable. Only require to be specified for authenticated requests bearing a Google OAuth 2.0 credential that specify local_id of an account that belongs to an Identity Platform tenant.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for DeleteAccount.
"kind": "A String",
}</pre>
</div>
<div class="method">
<code class="details" id="issueSamlResponse">issueSamlResponse(body=None, x__xgafv=None)</code>
<pre>Experimental
Args:
body: object, The request body.
The object takes the form of:
{ # Request message for IssueSamlResponse.
"idToken": "A String", # The Identity Platform ID token. It will be verified and then converted to a new SAMLResponse.
"rpId": "A String", # Relying Party identifier, which is the audience of issued SAMLResponse.
"samlAppEntityId": "A String", # SAML app entity id specified in Google Admin Console for each app. If developers want to redirect to a third-party app rather than a G Suite app, they'll probably they need this. When it's used, we'll return a RelayState. This includes a SAMLRequest, which can be used to trigger a SP-initiated SAML flow to redirect to the real app.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response for IssueSamlResponse request.
"acsEndpoint": "A String", # The ACS endpoint which consumes the returned SAMLResponse.
"email": "A String", # Email of the user.
"firstName": "A String", # First name of the user.
"isNewUser": True or False, # Whether the logged in user was created by this request.
"lastName": "A String", # Last name of the user.
"relayState": "A String", # Generated RelayState.
"samlResponse": "A String", # Signed SAMLResponse created for the Relying Party.
}</pre>
</div>
<div class="method">
<code class="details" id="lookup">lookup(body=None, x__xgafv=None)</code>
<pre>Gets account information for all matched accounts. For an end user request, retrieves the account of the end user. For an admin request with Google OAuth 2.0 credential, retrieves one or multiple account(s) with matching criteria.
Args:
body: object, The request body.
The object takes the form of:
{ # Request message for GetAccountInfo.
"delegatedProjectNumber": "A String",
"email": [ # The email address of one or more accounts to fetch. The length of email should be less than 256 characters and in the format of `name@domain.tld`. The email should also match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec production. Should only be specified by authenticated requests from a developer.
"A String",
],
"federatedUserId": [
{ # Federated user identifier at an Identity Provider.
"providerId": "A String", # The ID of supported identity providers. This should be a provider ID enabled for sign-in, which is either from the list of [default supported IdPs](https://cloud.google.com/identity-platform/docs/reference/rest/v2/defaultSupportedIdps/list), or of the format `oidc.*` or `saml.*`. Some examples are `google.com`, `facebook.com`, `oidc.testapp`, and `saml.testapp`.
"rawId": "A String", # The user ID of the account at the third-party Identity Provider specified by `provider_id`.
},
],
"idToken": "A String", # The Identity Platform ID token of the account to fetch. Require to be specified for requests from end users.
"initialEmail": [ # The initial email of one or more accounts to fetch. The length of email should be less than 256 characters and in the format of `name@domain.tld`. The email should also match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec production. Should only be specified by authenticated requests from a developer.
"A String",
],
"localId": [ # The ID of one or more accounts to fetch. Should only be specified by authenticated requests bearing a Google OAuth 2.0 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).
"A String",
],
"phoneNumber": [ # The phone number of one or more accounts to fetch. Should only be specified by authenticated requests from a developer and should be in E.164 format, for example, +15555555555.
"A String",
],
"targetProjectId": "A String", # The ID of the Google Cloud project that the account or the Identity Platform tenant specified by `tenant_id` belongs to. Should only be specified by authenticated requests bearing a Google OAuth 2.0 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).
"tenantId": "A String", # The ID of the tenant that the account belongs to. Should only be specified by authenticated requests from a developer.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for GetAccountInfo.
"kind": "A String",
"users": [ # The information of specific user account(s) matching the parameters in the request.
{ # An Identity Platform account's information.
"createdAt": "A String", # The time, in milliseconds from epoch, when the account was created.
"customAttributes": "A String", # Custom claims to be added to any ID tokens minted for the account. Should be at most 1,000 characters in length and in valid JSON format.
"customAuth": True or False, # Output only. Whether this account has been authenticated using SignInWithCustomToken.
"dateOfBirth": "A String", # Output only. The date of birth set for the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"disabled": True or False, # Whether the account is disabled. Disabled accounts are inaccessible except for requests bearing a Google OAuth2 credential with proper permissions.
"displayName": "A String", # The display name of the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"email": "A String", # The account's email address. The length of the email should be less than 256 characters and in the format of `name@domain.tld`. The email should also match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec.
"emailLinkSignin": True or False, # Output only. Whether the account can authenticate with email link.
"emailVerified": True or False, # Whether the account's email address has been verified.
"initialEmail": "A String", # The first email address associated with this account. The account's initial email cannot be changed once set and is used to recover access to this account if lost via the RECOVER_EMAIL flow in GetOobCode. Should match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec.
"language": "A String", # Output only. The language preference of the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"lastLoginAt": "A String", # The last time, in milliseconds from epoch, this account was logged into.
"lastRefreshAt": "A String", # Timestamp when an ID token was last minted for this account.
"localId": "A String", # Immutable. The unique ID of the account.
"mfaInfo": [ # Information on which multi-factor authentication providers are enabled for this account.
{ # Information on which multi-factor authentication (MFA) providers are enabled for an account.
"displayName": "A String", # Display name for this mfa option e.g. "corp cell phone".
"emailInfo": { # Information about email MFA. # Contains information specific to email MFA.
"emailAddress": "A String", # Email address that a MFA verification should be sent to.
},
"enrolledAt": "A String", # Timestamp when the account enrolled this second factor.
"mfaEnrollmentId": "A String", # ID of this MFA option.
"phoneInfo": "A String", # Normally this will show the phone number associated with this enrollment. In some situations, such as after a first factor sign in, it will only show the obfuscated version of the associated phone number.
"totpInfo": { # Information about TOTP MFA. # Contains information specific to TOTP MFA.
},
"unobfuscatedPhoneInfo": "A String", # Output only. Unobfuscated phone_info.
},
],
"passwordHash": "A String", # The account's hashed password. Only accessible by requests bearing a Google OAuth2 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).
"passwordUpdatedAt": 3.14, # The timestamp, in milliseconds from the epoch of 1970-01-01T00:00:00Z, when the account's password was last updated.
"phoneNumber": "A String", # The account's phone number.
"photoUrl": "A String", # The URL of the account's profile photo. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"providerUserInfo": [ # Information about the user as provided by various Identity Providers.
{ # Information about the user as provided by various Identity Providers.
"displayName": "A String", # The user's display name at the Identity Provider.
"email": "A String", # The user's email address at the Identity Provider.
"federatedId": "A String", # The user's identifier at the Identity Provider.
"phoneNumber": "A String", # The user's phone number at the Identity Provider.
"photoUrl": "A String", # The user's profile photo URL at the Identity Provider.
"providerId": "A String", # The ID of the Identity Provider.
"rawId": "A String", # The user's raw identifier directly returned from Identity Provider.
"screenName": "A String", # The user's screen_name at Twitter or login name at GitHub.
},
],
"rawPassword": "A String", # Input only. Plain text password used to update a account's password. This field is only ever used as input in a request. Identity Platform uses cryptographically secure hashing when managing passwords and will never store or transmit a user's password in plain text.
"salt": "A String", # The account's password salt. Only accessible by requests bearing a Google OAuth2 credential with proper permissions.
"screenName": "A String", # Output only. This account's screen name at Twitter or login name at GitHub.
"tenantId": "A String", # ID of the tenant this account belongs to. Only set if this account belongs to a tenant.
"timeZone": "A String", # Output only. The time zone preference of the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"validSince": "A String", # Oldest timestamp, in seconds since epoch, that an ID token should be considered valid. All ID tokens issued before this time are considered invalid.
"version": 42, # The version of the account's password. Only accessible by requests bearing a Google OAuth2 credential with proper permissions.
},
],
}</pre>
</div>
<div class="method">
<code class="details" id="resetPassword">resetPassword(body=None, x__xgafv=None)</code>
<pre>Resets the password of an account either using an out-of-band code generated by sendOobCode or by specifying the email and password of the account to be modified. Can also check the purpose of an out-of-band code without consuming it.
Args:
body: object, The request body.
The object takes the form of:
{ # Request message for ResetPassword.
"email": "A String", # Optional. The email of the account to be modified. Specify this and the old password in order to change an account's password without using an out-of-band code.
"newPassword": "A String", # The new password to be set for this account. Specifying this field will result in a change to the account and consume the out-of-band code if one was specified and it was of type PASSWORD_RESET.
"oldPassword": "A String", # The current password of the account to be modified. Specify this and email to change an account's password without using an out-of-band code.
"oobCode": "A String", # An out-of-band (OOB) code generated by GetOobCode request. Specify only this parameter (or only this parameter and a tenant ID) to get the out-of-band code's type in the response without mutating the account's state. Only a PASSWORD_RESET out-of-band code can be consumed via this method.
"tenantId": "A String", # Optional. The tenant ID of the Identity Platform tenant the account belongs to.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for ResetPassword.
"email": "A String", # The email associated with the out-of-band code that was used.
"kind": "A String",
"mfaInfo": { # Information on which multi-factor authentication (MFA) providers are enabled for an account.
"displayName": "A String", # Display name for this mfa option e.g. "corp cell phone".
"emailInfo": { # Information about email MFA. # Contains information specific to email MFA.
"emailAddress": "A String", # Email address that a MFA verification should be sent to.
},
"enrolledAt": "A String", # Timestamp when the account enrolled this second factor.
"mfaEnrollmentId": "A String", # ID of this MFA option.
"phoneInfo": "A String", # Normally this will show the phone number associated with this enrollment. In some situations, such as after a first factor sign in, it will only show the obfuscated version of the associated phone number.
"totpInfo": { # Information about TOTP MFA. # Contains information specific to TOTP MFA.
},
"unobfuscatedPhoneInfo": "A String", # Output only. Unobfuscated phone_info.
},
"newEmail": "A String",
"requestType": "A String",
}</pre>
</div>
<div class="method">
<code class="details" id="sendOobCode">sendOobCode(body=None, x__xgafv=None)</code>
<pre>Sends an out-of-band confirmation code for an account. Requests from a authenticated request can optionally return a link including the OOB code instead of sending it.
Args:
body: object, The request body.
The object takes the form of:
{ # Request message for GetOobCode.
"androidInstallApp": True or False, # If an associated android app can handle the OOB code, whether or not to install the android app on the device where the link is opened if the app is not already installed.
"androidMinimumVersion": "A String", # If an associated android app can handle the OOB code, the minimum version of the app. If the version on the device is lower than this version then the user is taken to Google Play Store to upgrade the app.
"androidPackageName": "A String", # If an associated android app can handle the OOB code, the Android package name of the android app that will handle the callback when this OOB code is used. This will allow the correct app to open if it is already installed, or allow Google Play Store to open to the correct app if it is not yet installed.
"canHandleCodeInApp": True or False, # When set to true, the OOB code link will be be sent as a Universal Link or an Android App Link and will be opened by the corresponding app if installed. If not set, or set to false, the OOB code will be sent to the web widget first and then on continue will redirect to the app if installed.
"captchaResp": "A String", # For a PASSWORD_RESET request, a reCaptcha response is required when the system detects possible abuse activity. In those cases, this is the response from the reCaptcha challenge used to verify the caller.
"challenge": "A String",
"clientType": "A String", # The client type: web, Android or iOS. Required when reCAPTCHA Enterprise protection is enabled.
"continueUrl": "A String", # The Url to continue after user clicks the link sent in email. This is the url that will allow the web widget to handle the OOB code.
"dynamicLinkDomain": "A String", # In order to ensure that the url used can be easily opened up in iOS or android, we create a [Firebase Dynamic Link](https://firebase.google.com/docs/dynamic-links). Most Identity Platform projects will only have one Dynamic Link domain enabled, and can leave this field blank. This field contains a specified Dynamic Link domain for projects that have multiple enabled.
"email": "A String", # The account's email address to send the OOB code to, and generally the email address of the account that needs to be updated. Required for PASSWORD_RESET, EMAIL_SIGNIN, and VERIFY_EMAIL. Only required for VERIFY_AND_CHANGE_EMAIL requests when return_oob_link is set to true. In this case, it is the original email of the user.
"iOSAppStoreId": "A String", # If an associated iOS app can handle the OOB code, the App Store id of this app. This will allow App Store to open to the correct app if the app is not yet installed.
"iOSBundleId": "A String", # If an associated iOS app can handle the OOB code, the iOS bundle id of this app. This will allow the correct app to open if it is already installed.
"idToken": "A String", # An ID token for the account. It is required for VERIFY_AND_CHANGE_EMAIL and VERIFY_EMAIL requests unless return_oob_link is set to true.
"linkDomain": "A String", # Optional. In order to ensure that the url used can be easily opened in iOS or Android, we create a Hosting link '/__/auth/links'. This optional field contains the domain to use when constructing a Hosting link. If not set, '.firebaseapp.com' domain will be used.
"newEmail": "A String", # The email address the account is being updated to. Required only for VERIFY_AND_CHANGE_EMAIL requests.
"recaptchaVersion": "A String", # The reCAPTCHA version of the reCAPTCHA token in the captcha_response.
"requestType": "A String", # Required. The type of out-of-band (OOB) code to send. Depending on this value, other fields in this request will be required and/or have different meanings. There are 4 different OOB codes that can be sent: * PASSWORD_RESET * EMAIL_SIGNIN * VERIFY_EMAIL * VERIFY_AND_CHANGE_EMAIL
"returnOobLink": True or False, # Whether the confirmation link containing the OOB code should be returned in the response (no email is sent). Used when a developer wants to construct the email template and send it on their own. By default this is false; to specify this field, and to set it to true, it requires a Google OAuth 2.0 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control)
"targetProjectId": "A String", # The Project ID of the Identity Platform project which the account belongs to. To specify this field, it requires a Google OAuth 2.0 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).
"tenantId": "A String", # The tenant ID of the Identity Platform tenant the account belongs to.
"userIp": "A String", # The IP address of the caller. Required only for PASSWORD_RESET requests.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for GetOobCode.
"email": "A String", # If return_oob_link is false in the request, the email address the verification was sent to.
"kind": "A String",
"oobCode": "A String", # If return_oob_link is true in the request, the OOB code to send.
"oobLink": "A String", # If return_oob_link is true in the request, the OOB link to be sent to the user. This returns the constructed link including [Firebase Dynamic Link](https://firebase.google.com/docs/dynamic-links) related parameters.
}</pre>
</div>
<div class="method">
<code class="details" id="sendVerificationCode">sendVerificationCode(body=None, x__xgafv=None)</code>
<pre>Sends a SMS verification code for phone number sign-in. To localize the text of the SMS sent to the user, set the HTTP header `X-Firebase-Locale` to the language code that corresponds with the user's locale. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project.
Args:
body: object, The request body.
The object takes the form of:
{ # Request message for SendVerificationCode. 'captcha_response' is required when reCAPTCHA enterprise is enabled, or otherwise at least one of (`ios_receipt` and `ios_secret`), `recaptcha_token`, or `safety_net_token` must be specified to verify the verification code is being sent on behalf of a real app and not an emulator.
"autoRetrievalInfo": { # The information required to auto-retrieve an SMS. # Android only. Used by Google Play Services to identify the app for auto-retrieval.
"appSignatureHash": "A String", # The Android app's signature hash for Google Play Service's SMS Retriever API.
},
"captchaResponse": "A String", # Optional. The reCAPTCHA Enterprise token provided by the reCAPTCHA client-side integration. Required when reCAPTCHA enterprise is enabled.
"clientType": "A String", # Optional. The client type, web, android or ios. Required when reCAPTCHA Enterprise is enabled.
"iosReceipt": "A String", # Receipt of successful iOS app token validation. At least one of (`ios_receipt` and `ios_secret`), `recaptcha_token`, or `safety_net_token` must be specified to verify the verification code is being sent on behalf of a real app and not an emulator, if 'captcha_response' is not used (reCAPTCHA enterprise is not enabled). This should come from the response of verifyIosClient. If present, the caller should also provide the `ios_secret`, as well as a bundle ID in the `x-ios-bundle-identifier` header, which must match the bundle ID from the verifyIosClient request.
"iosSecret": "A String", # Secret delivered to iOS app as a push notification. Should be passed with an `ios_receipt` as well as the `x-ios-bundle-identifier` header.
"phoneNumber": "A String", # The phone number to send the verification code to in E.164 format.
"playIntegrityToken": "A String", # Android only. Used to assert application identity in place of a recaptcha token (and safety_net_token). At least one of (`ios_receipt` and `ios_secret`), `recaptcha_token`, , or `play_integrity_token` must be specified to verify the verification code is being sent on behalf of a real app and not an emulator, if 'captcha_response' is not used (reCAPTCHA enterprise is not enabled). A Play Integrity Token can be generated via the [PlayIntegrity API](https://developer.android.com/google/play/integrity) with applying SHA256 to the `phone_number` field as the nonce.
"recaptchaToken": "A String", # Recaptcha token for app verification. At least one of (`ios_receipt` and `ios_secret`), `recaptcha_token`, or `safety_net_token` must be specified to verify the verification code is being sent on behalf of a real app and not an emulator, if 'captcha_response' is not used (reCAPTCHA enterprise is not enabled). The recaptcha should be generated by calling getRecaptchaParams and the recaptcha token will be generated on user completion of the recaptcha challenge.
"recaptchaVersion": "A String", # Optional. The reCAPTCHA version of the reCAPTCHA token in the captcha_response. Required when reCAPTCHA Enterprise is enabled.
"safetyNetToken": "A String", # Android only. Used to assert application identity in place of a recaptcha token. At least one of (`ios_receipt` and `ios_secret`), `recaptcha_token`, or `safety_net_token` must be specified to verify the verification code is being sent on behalf of a real app and not an emulator, if 'captcha_response' is not used (reCAPTCHA enterprise is not enabled). A SafetyNet Token can be generated via the [SafetyNet Android Attestation API](https://developer.android.com/training/safetynet/attestation.html), with the Base64 encoding of the `phone_number` field as the nonce.
"tenantId": "A String", # Tenant ID of the Identity Platform tenant the user is signing in to.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for SendVerificationCode.
"sessionInfo": "A String", # Encrypted session information. This can be used in signInWithPhoneNumber to authenticate the phone number.
}</pre>
</div>
<div class="method">
<code class="details" id="signInWithCustomToken">signInWithCustomToken(body=None, x__xgafv=None)</code>
<pre>Signs in or signs up a user by exchanging a custom Auth token. Upon a successful sign-in or sign-up, a new Identity Platform ID token and refresh token are issued for the user. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project.
Args:
body: object, The request body.
The object takes the form of:
{ # Request message for SignInWithCustomToken.
"delegatedProjectNumber": "A String",
"instanceId": "A String",
"returnSecureToken": True or False, # Should always be true.
"tenantId": "A String", # The ID of the Identity Platform tenant the user is signing in to. If present, the ID should match the tenant_id in the token.
"token": "A String", # Required. The custom Auth token asserted by the developer. The token should be a [JSON Web Token (JWT)](https://tools.ietf.org/html/rfc7519) that includes the claims listed in the [API reference](https://cloud.google.com/identity-platform/docs/reference/rest/client/) under the "Custom Token Claims" section.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for SignInWithCustomToken.
"expiresIn": "A String", # The number of seconds until the ID token expires.
"idToken": "A String", # An Identity Platform ID token for the authenticated user.
"isNewUser": True or False, # Whether the authenticated user was created by this request.
"kind": "A String",
"refreshToken": "A String", # An Identity Platform refresh token for the authenticated user.
}</pre>
</div>
<div class="method">
<code class="details" id="signInWithEmailLink">signInWithEmailLink(body=None, x__xgafv=None)</code>
<pre>Signs in or signs up a user with a out-of-band code from an email link. If a user does not exist with the given email address, a user record will be created. If the sign-in succeeds, an Identity Platform ID and refresh token are issued for the authenticated user. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project.
Args:
body: object, The request body.
The object takes the form of:
{ # Request message for SignInWithEmailLink
"email": "A String", # Required. The email address the sign-in link was sent to. The length of email should be less than 256 characters and in the format of `name@domain.tld`. The email should also match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec production.
"idToken": "A String", # A valid ID token for an Identity Platform account. If passed, this request will link the email address to the user represented by this ID token and enable sign-in with email link on the account for the future.
"oobCode": "A String", # Required. The out-of-band code from the email link.
"tenantId": "A String", # The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform project.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for SignInWithEmailLink.
"email": "A String", # The email the user signed in with. Always present in the response.
"expiresIn": "A String", # The number of seconds until the ID token expires.
"idToken": "A String", # An Identity Platform ID token for the authenticated user.
"isNewUser": True or False, # Whether the authenticated user was created by this request.
"kind": "A String",
"localId": "A String", # The ID of the authenticated user. Always present in the response.
"mfaInfo": [ # Info on which multi-factor authentication providers are enabled. Present if the user needs to complete the sign-in using multi-factor authentication.
{ # Information on which multi-factor authentication (MFA) providers are enabled for an account.
"displayName": "A String", # Display name for this mfa option e.g. "corp cell phone".
"emailInfo": { # Information about email MFA. # Contains information specific to email MFA.
"emailAddress": "A String", # Email address that a MFA verification should be sent to.
},
"enrolledAt": "A String", # Timestamp when the account enrolled this second factor.
"mfaEnrollmentId": "A String", # ID of this MFA option.
"phoneInfo": "A String", # Normally this will show the phone number associated with this enrollment. In some situations, such as after a first factor sign in, it will only show the obfuscated version of the associated phone number.
"totpInfo": { # Information about TOTP MFA. # Contains information specific to TOTP MFA.
},
"unobfuscatedPhoneInfo": "A String", # Output only. Unobfuscated phone_info.
},
],
"mfaPendingCredential": "A String", # An opaque string that functions as proof that the user has successfully passed the first factor check.
"refreshToken": "A String", # Refresh token for the authenticated user.
}</pre>
</div>
<div class="method">
<code class="details" id="signInWithGameCenter">signInWithGameCenter(body=None, x__xgafv=None)</code>
<pre>Signs in or signs up a user with iOS Game Center credentials. If the sign-in succeeds, a new Identity Platform ID token and refresh token are issued for the authenticated user. The bundle ID is required in the request header as `x-ios-bundle-identifier`. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project. Apple has [deprecated the `playerID` field](https://developer.apple.com/documentation/gamekit/gkplayer/1521127-playerid/). The Apple platform Firebase SDK will use `gamePlayerID` and `teamPlayerID` from version 10.5.0 and onwards. Upgrading to SDK version 10.5.0 or later updates existing integrations that use `playerID` to instead use `gamePlayerID` and `teamPlayerID`. When making calls to `signInWithGameCenter`, you must include `playerID` along with the new fields `gamePlayerID` and `teamPlayerID` to successfully identify all existing users. Upgrading existing Game Center sign in integrations to SDK version 10.5.0 or later is irreversible.
Args:
body: object, The request body.
The object takes the form of:
{ # Request message for SignInWithGameCenter
"displayName": "A String", # The user's Game Center display name.
"gamePlayerId": "A String", # The user's Game Center game player ID. A unique identifier for a player of the game. https://developer.apple.com/documentation/gamekit/gkplayer/3113960-gameplayerid
"idToken": "A String", # A valid ID token for an Identity Platform account. If present, this request will link the Game Center player ID to the account represented by this ID token.
"playerId": "A String", # Required. The user's Game Center player ID. Deprecated by Apple. Pass `playerID` along with `gamePlayerID` and `teamPlayerID` to initiate the migration of a user's Game Center player ID to `gamePlayerID`.
"publicKeyUrl": "A String", # Required. The URL to fetch the Apple public key in order to verify the given signature is signed by Apple.
"salt": "A String", # Required. A random string used to generate the given signature.
"signature": "A String", # Required. The verification signature data generated by Apple.
"teamPlayerId": "A String", # The user's Game Center team player ID. A unique identifier for a player of all the games that you distribute using your developer account. https://developer.apple.com/documentation/gamekit/gkplayer/3174857-teamplayerid
"tenantId": "A String", # The ID of the Identity Platform tenant the user is signing in to.
"timestamp": "A String", # Required. The time when the signature was created by Apple, in milliseconds since the epoch.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for SignInWithGameCenter
"displayName": "A String", # Display name of the authenticated user.
"expiresIn": "A String", # The number of seconds until the ID token expires.
"gamePlayerId": "A String", # The user's Game Center game player ID. A unique identifier for a player of the game. https://developer.apple.com/documentation/gamekit/gkplayer/3113960-gameplayerid
"idToken": "A String", # An Identity Platform ID token for the authenticated user.
"isNewUser": True or False, # Whether the logged in user was created by this request.
"localId": "A String", # The ID of the authenticated user. Always present in the response.
"playerId": "A String", # The user's Game Center player ID. Pass `playerID` along with `gamePlayerID` and `teamPlayerID` to initiate the migration of a user's Game Center player ID to `gamePlayerID`.
"refreshToken": "A String", # An Identity Platform refresh token for the authenticated user.
"teamPlayerId": "A String", # The user's Game Center team player ID. A unique identifier for a player of all the games that you distribute using your developer account. https://developer.apple.com/documentation/gamekit/gkplayer/3174857-teamplayerid
}</pre>
</div>
<div class="method">
<code class="details" id="signInWithIdp">signInWithIdp(body=None, x__xgafv=None)</code>
<pre>Signs in or signs up a user using credentials from an Identity Provider (IdP). This is done by manually providing an IdP credential, or by providing the authorization response obtained via the authorization request from CreateAuthUri. If the sign-in succeeds, a new Identity Platform ID token and refresh token are issued for the authenticated user. A new Identity Platform user account will be created if the user has not previously signed in to the IdP with the same account. In addition, when the "One account per email address" setting is enabled, there should not be an existing Identity Platform user account with the same email address for a new user account to be created. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project.
Args:
body: object, The request body.
The object takes the form of:
{ # Request message for SignInWithIdp.
"autoCreate": True or False,
"delegatedProjectNumber": "A String",
"idToken": "A String", # A valid Identity Platform ID token. If passed, the user's account at the IdP will be linked to the account represented by this ID token.
"pendingIdToken": "A String",
"pendingToken": "A String", # An opaque string from a previous SignInWithIdp response. If set, it can be used to repeat the sign-in operation from the previous SignInWithIdp operation. This may be present if the user needs to confirm their account information as part of a previous federated login attempt, or perform account linking.
"postBody": "A String", # If the user is signing in with an authorization response obtained via a previous CreateAuthUri authorization request, this is the body of the HTTP POST callback from the IdP, if present. Otherwise, if the user is signing in with a manually provided IdP credential, this should be a URL-encoded form that contains the credential (e.g. an ID token or access token for OAuth 2.0 IdPs) and the provider ID of the IdP that issued the credential. For example, if the user is signing in to the Google provider using a Google ID token, this should be set to id_token`=[GOOGLE_ID_TOKEN]&providerId=google.com`, where `[GOOGLE_ID_TOKEN]` should be replaced with the Google ID token. If the user is signing in to the Facebook provider using a Facebook authentication token, this should be set to id_token`=[FACEBOOK_AUTHENTICATION_TOKEN]&providerId=facebook. com&nonce= [NONCE]`, where `[FACEBOOK_AUTHENTICATION_TOKEN]` should be replaced with the Facebook authentication token. Nonce is required for validating the token. The request will fail if no nonce is provided. If the user is signing in to the Facebook provider using a Facebook access token, this should be set to access_token`=[FACEBOOK_ACCESS_TOKEN]&providerId=facebook. com`, where `[FACEBOOK_ACCESS_TOKEN]` should be replaced with the Facebook access token. If the user is signing in to the Twitter provider using a Twitter OAuth 1.0 credential, this should be set to access_token`=[TWITTER_ACCESS_TOKEN]&oauth_token_secret= [TWITTER_TOKEN_SECRET]&providerId=twitter.com`, where `[TWITTER_ACCESS_TOKEN]` and `[TWITTER_TOKEN_SECRET]` should be replaced with the Twitter OAuth access token and Twitter OAuth token secret respectively.
"requestUri": "A String", # Required. The URL to which the IdP redirects the user back. This can be set to `http://localhost` if the user is signing in with a manually provided IdP credential.
"returnIdpCredential": True or False, # Whether or not to return OAuth credentials from the IdP on the following errors: `FEDERATED_USER_ID_ALREADY_LINKED` and `EMAIL_EXISTS`.
"returnRefreshToken": True or False, # Whether or not to return the OAuth refresh token from the IdP, if available.
"returnSecureToken": True or False, # Should always be true.
"sessionId": "A String", # The session ID returned from a previous CreateAuthUri call. This field is verified against that session ID to prevent session fixation attacks. Required if the user is signing in with an authorization response from a previous CreateAuthUri authorization request.
"tenantId": "A String", # The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform project.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for SignInWithIdp.
"context": "A String", # The opaque string set in CreateAuthUri that is used to maintain contextual information between the authentication request and the callback from the IdP.
"dateOfBirth": "A String", # The date of birth for the user's account at the IdP.
"displayName": "A String", # The display name for the user's account at the IdP.
"email": "A String", # The email address of the user's account at the IdP.
"emailRecycled": True or False, # Whether or not there is an existing Identity Platform user account with the same email address but linked to a different account at the same IdP. Only present if the "One account per email address" setting is enabled and the email address at the IdP is verified.
"emailVerified": True or False, # Whether the user account's email address is verified.
"errorMessage": "A String", # The error message returned if `return_idp_credential` is set to `true` and either the `FEDERATED_USER_ID_ALREADY_LINKED` or `EMAIL_EXISTS` error is encountered. This field's value is either `FEDERATED_USER_ID_ALREADY_LINKED` or `EMAIL_EXISTS`.
"expiresIn": "A String", # The number of seconds until the Identity Platform ID token expires.
"federatedId": "A String", # The user's account ID at the IdP. Always present in the response.
"firstName": "A String", # The first name for the user's account at the IdP.
"fullName": "A String", # The full name for the user's account at the IdP.
"idToken": "A String", # An Identity Platform ID token for the authenticated user.
"inputEmail": "A String",
"isNewUser": True or False, # Whether or not a new Identity Platform account was created for the authenticated user.
"kind": "A String",
"language": "A String", # The language preference for the user's account at the IdP.
"lastName": "A String", # The last name for the user's account at the IdP.
"localId": "A String", # The ID of the authenticated Identity Platform user. Always present in the response.
"mfaInfo": [ # Info on which multi-factor authentication providers are enabled for the account. Present if the user needs to complete the sign-in using multi-factor authentication.
{ # Information on which multi-factor authentication (MFA) providers are enabled for an account.
"displayName": "A String", # Display name for this mfa option e.g. "corp cell phone".
"emailInfo": { # Information about email MFA. # Contains information specific to email MFA.
"emailAddress": "A String", # Email address that a MFA verification should be sent to.
},
"enrolledAt": "A String", # Timestamp when the account enrolled this second factor.
"mfaEnrollmentId": "A String", # ID of this MFA option.
"phoneInfo": "A String", # Normally this will show the phone number associated with this enrollment. In some situations, such as after a first factor sign in, it will only show the obfuscated version of the associated phone number.
"totpInfo": { # Information about TOTP MFA. # Contains information specific to TOTP MFA.
},
"unobfuscatedPhoneInfo": "A String", # Output only. Unobfuscated phone_info.
},
],
"mfaPendingCredential": "A String", # An opaque string that functions as proof that the user has successfully passed the first factor authentication.
"needConfirmation": True or False, # Whether or not there is an existing Identity Platform user account with the same email address as the current account signed in at the IdP, and the account's email address is not verified at the IdP. The user will need to sign in to the existing Identity Platform account and then link the current credential from the IdP to it. Only present if the "One account per email address" setting is enabled.
"needEmail": True or False,
"nickName": "A String", # The nickname for the user's account at the IdP.
"oauthAccessToken": "A String", # The OAuth access token from the IdP, if available.
"oauthAuthorizationCode": "A String", # The OAuth 2.0 authorization code, if available. Only present for the Google provider.
"oauthExpireIn": 42, # The number of seconds until the OAuth access token from the IdP expires.
"oauthIdToken": "A String", # The OpenID Connect ID token from the IdP, if available.
"oauthRefreshToken": "A String", # The OAuth 2.0 refresh token from the IdP, if available and `return_refresh_token` is set to `true`.
"oauthTokenSecret": "A String", # The OAuth 1.0 token secret from the IdP, if available. Only present for the Twitter provider.
"originalEmail": "A String", # The main (top-level) email address of the user's Identity Platform account, if different from the email address at the IdP. Only present if the "One account per email address" setting is enabled.
"pendingToken": "A String", # An opaque string that can be used as a credential from the IdP the user is signing into. The pending token obtained here can be set in a future SignInWithIdp request to sign the same user in with the IdP again.
"photoUrl": "A String", # The URL of the user's profile picture at the IdP.
"providerId": "A String", # The provider ID of the IdP that the user is signing in to. Always present in the response.
"rawUserInfo": "A String", # The stringified JSON response containing all the data corresponding to the user's account at the IdP.
"refreshToken": "A String", # An Identity Platform refresh token for the authenticated user.
"screenName": "A String", # The screen name for the user's account at the Twitter IdP or the login name for the user's account at the GitHub IdP.
"tenantId": "A String", # The value of the `tenant_id` field in the request.
"timeZone": "A String", # The time zone for the user's account at the IdP.
"verifiedProvider": [ # A list of provider IDs that the user can sign in to in order to resolve a `need_confirmation` error. Only present if `need_confirmation` is set to `true`.
"A String",
],
}</pre>
</div>
<div class="method">
<code class="details" id="signInWithPassword">signInWithPassword(body=None, x__xgafv=None)</code>
<pre>Signs in a user with email and password. If the sign-in succeeds, a new Identity Platform ID token and refresh token are issued for the authenticated user. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project.
Args:
body: object, The request body.
The object takes the form of:
{ # Request message for SignInWithPassword.
"captchaChallenge": "A String",
"captchaResponse": "A String", # The reCAPTCHA token provided by the reCAPTCHA client-side integration. reCAPTCHA Enterprise uses it for risk assessment. Required when reCAPTCHA Enterprise is enabled.
"clientType": "A String", # The client type, web, android or ios. Required when reCAPTCHA Enterprise is enabled.
"delegatedProjectNumber": "A String",
"email": "A String", # Required. The email the user is signing in with. The length of email should be less than 256 characters and in the format of `name@domain.tld`. The email should also match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec production.
"idToken": "A String",
"instanceId": "A String",
"password": "A String", # Required. The password the user provides to sign in to the account.
"pendingIdToken": "A String",
"recaptchaVersion": "A String", # The reCAPTCHA version of the reCAPTCHA token in the captcha_response.
"returnSecureToken": True or False, # Should always be true.
"tenantId": "A String", # The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform instance in the project.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for SignInWithPassword.
"displayName": "A String", # The user's display name stored in the account's attributes.
"email": "A String", # The email of the authenticated user. Always present in the response.
"expiresIn": "A String", # The number of seconds until the Identity Platform ID token expires.
"idToken": "A String", # An Identity Platform ID token for the authenticated user.
"kind": "A String",
"localId": "A String", # The ID of the authenticated user. Always present in the response.
"mfaInfo": [ # Info on which multi-factor authentication providers are enabled for the account. Present if the user needs to complete the sign-in using multi-factor authentication.
{ # Information on which multi-factor authentication (MFA) providers are enabled for an account.
"displayName": "A String", # Display name for this mfa option e.g. "corp cell phone".
"emailInfo": { # Information about email MFA. # Contains information specific to email MFA.
"emailAddress": "A String", # Email address that a MFA verification should be sent to.
},
"enrolledAt": "A String", # Timestamp when the account enrolled this second factor.
"mfaEnrollmentId": "A String", # ID of this MFA option.
"phoneInfo": "A String", # Normally this will show the phone number associated with this enrollment. In some situations, such as after a first factor sign in, it will only show the obfuscated version of the associated phone number.
"totpInfo": { # Information about TOTP MFA. # Contains information specific to TOTP MFA.
},
"unobfuscatedPhoneInfo": "A String", # Output only. Unobfuscated phone_info.
},
],
"mfaPendingCredential": "A String", # An opaque string that functions as proof that the user has successfully passed the first factor authentication.
"oauthAccessToken": "A String", # The OAuth2 access token.
"oauthAuthorizationCode": "A String",
"oauthExpireIn": 42, # The access token expiration time in seconds.
"profilePicture": "A String", # The user's profile picture stored in the account's attributes.
"refreshToken": "A String", # An Identity Platform refresh token for the authenticated user.
"registered": True or False, # Whether the email is for an existing account. Always true.
"userNotifications": [ # Warning notifications for the user.
{ # Warning notifications for the user.
"notificationCode": "A String", # Warning notification enum. Can be used for localization.
"notificationMessage": "A String", # Warning notification string. Can be used as fallback.
},
],
}</pre>
</div>
<div class="method">
<code class="details" id="signInWithPhoneNumber">signInWithPhoneNumber(body=None, x__xgafv=None)</code>
<pre>Completes a phone number authentication attempt. If a user already exists with the given phone number, an ID token is minted for that user. Otherwise, a new user is created and associated with the phone number. This method may also be used to link a phone number to an existing user. To localize the text of the SMS sent to the user, set the HTTP header `X-Firebase-Locale` to the language code that corresponds with the user's locale. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project.
Args:
body: object, The request body.
The object takes the form of:
{ # Request message for SignInWithPhoneNumber.
"code": "A String", # User-entered verification code from an SMS sent to the user's phone.
"idToken": "A String", # A valid ID token for an Identity Platform account. If passed, this request will link the phone number to the user represented by this ID token if the phone number is not in use, or will reauthenticate the user if the phone number is already linked to the user.
"operation": "A String",
"phoneNumber": "A String", # The user's phone number to sign in with. This is necessary in the case of uing a temporary proof, in which case it must match the phone number that was authenticated in the request that generated the temporary proof. This field is ignored if a session info is passed.
"sessionInfo": "A String", # Encrypted session information from the response of sendVerificationCode. In the case of authenticating with an SMS code this must be specified, but in the case of using a temporary proof it can be unspecified.
"temporaryProof": "A String", # A proof of the phone number verification, provided from a previous signInWithPhoneNumber request. If this is passed, the caller must also pass in the phone_number field the phone number that was verified in the previous request.
"tenantId": "A String", # The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform project.
"verificationProof": "A String", # Do not use.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for SignInWithPhoneNumber.
"expiresIn": "A String", # The number of seconds until the ID token expires.
"idToken": "A String", # Identity Platform ID token for the authenticated user.
"isNewUser": True or False, # Whether the authenticated user was created by this request.
"localId": "A String", # The id of the authenticated user. Present in the case of a successful authentication. In the case when the phone could be verified but the account operation could not be performed, a temporary proof will be returned instead.
"phoneNumber": "A String", # Phone number of the authenticated user. Always present in the response.
"refreshToken": "A String", # Refresh token for the authenticated user.
"temporaryProof": "A String", # A proof of the phone number verification, provided if a phone authentication is successful but the user operation fails. This happens when the request tries to link a phone number to a user with an ID token or reauthenticate with an ID token but the phone number is linked to a different user.
"temporaryProofExpiresIn": "A String", # The number of seconds until the temporary proof expires.
"verificationProof": "A String", # Do not use.
"verificationProofExpiresIn": "A String", # Do not use.
}</pre>
</div>
<div class="method">
<code class="details" id="signUp">signUp(body=None, x__xgafv=None)</code>
<pre>Signs up a new email and password user or anonymous user, or upgrades an anonymous user to email and password. For an admin request with a Google OAuth 2.0 credential with the proper [permissions](https://cloud.google.com/identity-platform/docs/access-control), creates a new anonymous, email and password, or phone number user. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project.
Args:
body: object, The request body.
The object takes the form of:
{ # Request message for SignUp.
"captchaChallenge": "A String",
"captchaResponse": "A String", # The reCAPTCHA token provided by the reCAPTCHA client-side integration. reCAPTCHA Enterprise uses it for assessment. Required when reCAPTCHA enterprise is enabled.
"clientType": "A String", # The client type: web, Android or iOS. Required when enabling reCAPTCHA enterprise protection.
"disabled": True or False, # Whether the user will be disabled upon creation. Disabled accounts are inaccessible except for requests bearing a Google OAuth2 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).
"displayName": "A String", # The display name of the user to be created.
"email": "A String", # The email to assign to the created user. The length of the email should be less than 256 characters and in the format of `name@domain.tld`. The email should also match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec production. An anonymous user will be created if not provided.
"emailVerified": True or False, # Whether the user's email is verified. Specifying this field requires a Google OAuth 2.0 credential with the proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).
"idToken": "A String", # A valid ID token for an Identity Platform user. If set, this request will link the authentication credential to the user represented by this ID token. For a non-admin request, both the `email` and `password` fields must be set. For an admin request, `local_id` must not be set.
"instanceId": "A String",
"localId": "A String", # The ID of the user to create. The ID must be unique within the project that the user is being created under. Specifying this field requires a Google OAuth 2.0 credential with the proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).
"mfaInfo": [ # The multi-factor authentication providers for the user to create.
{
"displayName": "A String", # Display name for this mfa option e.g. "corp cell phone".
"phoneInfo": "A String", # Phone number to receive OTP for MFA.
},
],
"password": "A String", # The password to assign to the created user. The password must be be at least 6 characters long. If set, the `email` field must also be set.
"phoneNumber": "A String", # The phone number of the user to create. Specifying this field requires a Google OAuth 2.0 credential with the proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).
"photoUrl": "A String", # The profile photo url of the user to create.
"recaptchaVersion": "A String", # The reCAPTCHA version of the reCAPTCHA token in the captcha_response.
"targetProjectId": "A String", # The project ID of the project which the user should belong to. Specifying this field requires a Google OAuth 2.0 credential with the proper [permissions](https://cloud.google.com/identity-platform/docs/access-control). If this is not set, the target project is inferred from the scope associated to the Bearer access token.
"tenantId": "A String", # The ID of the Identity Platform tenant to create a user under. If not set, the user will be created under the default Identity Platform project.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for SignUp.
"displayName": "A String", # The created user's display name.
"email": "A String", # The created user's email.
"expiresIn": "A String", # The number of seconds until the ID token expires.
"idToken": "A String", # An Identity Platform ID token for the created user. This field is only set for non-admin requests.
"kind": "A String",
"localId": "A String", # The ID of the created user. Always present in the response.
"refreshToken": "A String", # An Identity Platform refresh token for the created user. This field is only set for non-admin requests.
}</pre>
</div>
<div class="method">
<code class="details" id="update">update(body=None, x__xgafv=None)</code>
<pre>Updates account-related information for the specified user by setting specific fields or applying action codes. Requests from administrators and end users are supported.
Args:
body: object, The request body.
The object takes the form of:
{ # Request message for SetAccountInfo.
"captchaChallenge": "A String",
"captchaResponse": "A String", # The response from reCaptcha challenge. This is required when the system detects possible abuse activities.
"createdAt": "A String", # The timestamp in milliseconds when the account was created.
"customAttributes": "A String", # JSON formatted custom attributes to be stored in the Identity Platform ID token. Specifying this field requires a Google OAuth 2.0 credential with proper [permissions] (https://cloud.google.com/identity-platform/docs/access-control).
"delegatedProjectNumber": "A String",
"deleteAttribute": [
"A String",
],
"deleteProvider": [ # The Identity Providers to unlink from the user's account.
"A String",
],
"disableUser": True or False, # If true, marks the account as disabled, meaning the user will no longer be able to sign-in.
"displayName": "A String", # The user's new display name to be updated in the account's attributes. The length of the display name must be less than or equal to 256 characters.
"email": "A String", # The user's new email to be updated in the account's attributes. The length of email should be less than 256 characters and in the format of `name@domain.tld`. The email should also match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec production. If [email enumeration protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection) is enabled, the email cannot be changed by the user without verifying the email first, but it can be changed by an administrator.
"emailVerified": True or False, # Whether the user's email has been verified. Specifying this field requires a Google OAuth 2.0 credential with proper [permissions] (https://cloud.google.com/identity-platform/docs/access-control).
"idToken": "A String", # A valid Identity Platform ID token. Required when attempting to change user-related information.
"instanceId": "A String",
"lastLoginAt": "A String", # The timestamp in milliseconds when the account last logged in.
"linkProviderUserInfo": { # Information about the user as provided by various Identity Providers. # The provider to be linked to the user's account. Specifying this field requires a Google OAuth 2.0 credential with proper [permissions] (https://cloud.google.com/identity-platform/docs/access-control).
"displayName": "A String", # The user's display name at the Identity Provider.
"email": "A String", # The user's email address at the Identity Provider.
"federatedId": "A String", # The user's identifier at the Identity Provider.
"phoneNumber": "A String", # The user's phone number at the Identity Provider.
"photoUrl": "A String", # The user's profile photo URL at the Identity Provider.
"providerId": "A String", # The ID of the Identity Provider.
"rawId": "A String", # The user's raw identifier directly returned from Identity Provider.
"screenName": "A String", # The user's screen_name at Twitter or login name at GitHub.
},
"localId": "A String", # The ID of the user. Specifying this field requires a Google OAuth 2.0 credential with proper [permissions] (https://cloud.google.com/identity-platform/docs/access-control). For requests from end-users, an ID token should be passed instead.
"mfa": { # Multi-factor authentication related information. # The multi-factor authentication related information to be set on the user's account. This will overwrite any previous multi-factor related information on the account. Specifying this field requires a Google OAuth 2.0 credential with proper [permissions] (https://cloud.google.com/identity-platform/docs/access-control).
"enrollments": [ # The second factors the user has enrolled.
{ # Information on which multi-factor authentication (MFA) providers are enabled for an account.
"displayName": "A String", # Display name for this mfa option e.g. "corp cell phone".
"emailInfo": { # Information about email MFA. # Contains information specific to email MFA.
"emailAddress": "A String", # Email address that a MFA verification should be sent to.
},
"enrolledAt": "A String", # Timestamp when the account enrolled this second factor.
"mfaEnrollmentId": "A String", # ID of this MFA option.
"phoneInfo": "A String", # Normally this will show the phone number associated with this enrollment. In some situations, such as after a first factor sign in, it will only show the obfuscated version of the associated phone number.
"totpInfo": { # Information about TOTP MFA. # Contains information specific to TOTP MFA.
},
"unobfuscatedPhoneInfo": "A String", # Output only. Unobfuscated phone_info.
},
],
},
"oobCode": "A String", # The out-of-band code to be applied on the user's account. The following out-of-band code types are supported: * VERIFY_EMAIL * RECOVER_EMAIL * REVERT_SECOND_FACTOR_ADDITION * VERIFY_AND_CHANGE_EMAIL
"password": "A String", # The user's new password to be updated in the account's attributes. The password must be at least 6 characters long.
"phoneNumber": "A String", # The phone number to be updated in the account's attributes.
"photoUrl": "A String", # The user's new photo URL for the account's profile photo to be updated in the account's attributes. The length of the URL must be less than or equal to 2048 characters.
"provider": [ # The Identity Providers that the account should be associated with.
"A String",
],
"returnSecureToken": True or False, # Whether or not to return an ID and refresh token. Should always be true.
"targetProjectId": "A String", # The project ID for the project that the account belongs to. Specifying this field requires Google OAuth 2.0 credential with proper [permissions] (https://cloud.google.com/identity-platform/docs/access-control). Requests from end users should pass an Identity Platform ID token instead.
"tenantId": "A String", # The tenant ID of the Identity Platform tenant that the account belongs to. Requests from end users should pass an Identity Platform ID token rather than setting this field.
"upgradeToFederatedLogin": True or False, # Whether the account should be restricted to only using federated login.
"validSince": "A String", # Specifies the minimum timestamp in seconds for an Identity Platform ID token to be considered valid.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for SetAccountInfo
"displayName": "A String", # The account's display name.
"email": "A String", # The account's email address.
"emailVerified": True or False, # Whether the account's email has been verified.
"expiresIn": "A String", # The number of seconds until the Identity Platform ID token expires.
"idToken": "A String", # An Identity Platform ID token for the account. This is used for legacy user sign up.
"kind": "A String",
"localId": "A String", # The ID of the authenticated user.
"newEmail": "A String", # The new email that has been set on the user's account attributes.
"passwordHash": "A String", # Deprecated. No actual password hash is currently returned.
"photoUrl": "A String", # The user's photo URL for the account's profile photo.
"providerUserInfo": [ # The linked Identity Providers on the account.
{ # Information about the user as provided by various Identity Providers.
"displayName": "A String", # The user's display name at the Identity Provider.
"email": "A String", # The user's email address at the Identity Provider.
"federatedId": "A String", # The user's identifier at the Identity Provider.
"phoneNumber": "A String", # The user's phone number at the Identity Provider.
"photoUrl": "A String", # The user's profile photo URL at the Identity Provider.
"providerId": "A String", # The ID of the Identity Provider.
"rawId": "A String", # The user's raw identifier directly returned from Identity Provider.
"screenName": "A String", # The user's screen_name at Twitter or login name at GitHub.
},
],
"refreshToken": "A String", # A refresh token for the account. This is used for legacy user sign up.
}</pre>
</div>
<div class="method">
<code class="details" id="verifyIosClient">verifyIosClient(body=None, x__xgafv=None)</code>
<pre>Verifies an iOS client is a real iOS device. If the request is valid, a receipt will be sent in the response and a secret will be sent via Apple Push Notification Service. The client should send both of them back to certain Identity Platform APIs in a later call (for example, /accounts:sendVerificationCode), in order to verify the client. The bundle ID is required in the request header as `x-ios-bundle-identifier`. An [API key](https://cloud.google.com/docs/authentication/api-keys) is required in the request in order to identify the Google Cloud project.
Args:
body: object, The request body.
The object takes the form of:
{ # Request message for VerifyIosClient
"appToken": "A String", # A device token that the iOS client gets after registering to APNs (Apple Push Notification service).
"isSandbox": True or False, # Whether the app token is in the iOS sandbox. If false, the app token is in the production environment.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for VerifyIosClient.
"receipt": "A String", # Receipt of successful app token validation.
"suggestedTimeout": "A String", # Suggested time that the client should wait in seconds for delivery of the push notification.
}</pre>
</div>
</body></html>
|
