Package google.cloud.identitytoolkit.admin.v2

Index

ProjectConfigService

Project configuration for Identity Toolkit

CreateDefaultSupportedIdpConfig

rpc CreateDefaultSupportedIdpConfig(CreateDefaultSupportedIdpConfigRequest) returns (DefaultSupportedIdpConfig)

Create a default supported Idp configuration for an Identity Toolkit project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateInboundSamlConfig

rpc CreateInboundSamlConfig(CreateInboundSamlConfigRequest) returns (InboundSamlConfig)

Create an inbound SAML configuration for an Identity Toolkit project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateOAuthIdpConfig

rpc CreateOAuthIdpConfig(CreateOAuthIdpConfigRequest) returns (OAuthIdpConfig)

Create an Oidc Idp configuration for an Identity Toolkit project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteDefaultSupportedIdpConfig

rpc DeleteDefaultSupportedIdpConfig(DeleteDefaultSupportedIdpConfigRequest) returns (Empty)

Delete a default supported Idp configuration for an Identity Toolkit project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteInboundSamlConfig

rpc DeleteInboundSamlConfig(DeleteInboundSamlConfigRequest) returns (Empty)

Delete an inbound SAML configuration for an Identity Toolkit project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteOAuthIdpConfig

rpc DeleteOAuthIdpConfig(DeleteOAuthIdpConfigRequest) returns (Empty)

Delete an Oidc Idp configuration for an Identity Toolkit project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetConfig

rpc GetConfig(GetConfigRequest) returns (Config)

Retrieve an Identity Toolkit project configuration.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetDefaultSupportedIdpConfig

rpc GetDefaultSupportedIdpConfig(GetDefaultSupportedIdpConfigRequest) returns (DefaultSupportedIdpConfig)

Retrieve a default supported Idp configuration for an Identity Toolkit project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetIamPolicy

rpc GetIamPolicy(GetIamPolicyRequest) returns (Policy)

Gets the access control policy for a resource. An error is returned if the resource does not exist. An empty policy is returned if the resource exists but does not have a policy set on it. Caller must have the right Google IAM permission on the resource.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetInboundSamlConfig

rpc GetInboundSamlConfig(GetInboundSamlConfigRequest) returns (InboundSamlConfig)

Retrieve an inbound SAML configuration for an Identity Toolkit project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetOAuthIdpConfig

rpc GetOAuthIdpConfig(GetOAuthIdpConfigRequest) returns (OAuthIdpConfig)

Retrieve an Oidc Idp configuration for an Identity Toolkit project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

InitializeIdentityPlatform

rpc InitializeIdentityPlatform(InitializeIdentityPlatformRequest) returns (InitializeIdentityPlatformResponse)

Initialize Identity Platform for a Cloud project. Identity Platform is an end-to-end authentication system for third-party users to access your apps and services. These could include mobile/web apps, games, APIs and beyond.

This is the publicly available variant of EnableIdentityPlatform that is only available to billing-enabled projects.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListDefaultSupportedIdpConfigs

rpc ListDefaultSupportedIdpConfigs(ListDefaultSupportedIdpConfigsRequest) returns (ListDefaultSupportedIdpConfigsResponse)

List all default supported Idp configurations for an Identity Toolkit project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListDefaultSupportedIdps

rpc ListDefaultSupportedIdps(ListDefaultSupportedIdpsRequest) returns (ListDefaultSupportedIdpsResponse)

List all default supported Idps.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListInboundSamlConfigs

rpc ListInboundSamlConfigs(ListInboundSamlConfigsRequest) returns (ListInboundSamlConfigsResponse)

List all inbound SAML configurations for an Identity Toolkit project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListOAuthIdpConfigs

rpc ListOAuthIdpConfigs(ListOAuthIdpConfigsRequest) returns (ListOAuthIdpConfigsResponse)

List all Oidc Idp configurations for an Identity Toolkit project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

SetIamPolicy

rpc SetIamPolicy(SetIamPolicyRequest) returns (Policy)

Sets the access control policy for a resource. If the policy exists, it is replaced. Caller must have the right Google IAM permission on the resource.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

TestIamPermissions

rpc TestIamPermissions(TestIamPermissionsRequest) returns (TestIamPermissionsResponse)

Returns the caller's permissions on a resource. An error is returned if the resource does not exist. A caller is not required to have Google IAM permission to make this request.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateConfig

rpc UpdateConfig(UpdateConfigRequest) returns (Config)

Update an Identity Toolkit project configuration.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateDefaultSupportedIdpConfig

rpc UpdateDefaultSupportedIdpConfig(UpdateDefaultSupportedIdpConfigRequest) returns (DefaultSupportedIdpConfig)

Update a default supported Idp configuration for an Identity Toolkit project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateInboundSamlConfig

rpc UpdateInboundSamlConfig(UpdateInboundSamlConfigRequest) returns (InboundSamlConfig)

Update an inbound SAML configuration for an Identity Toolkit project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateOAuthIdpConfig

rpc UpdateOAuthIdpConfig(UpdateOAuthIdpConfigRequest) returns (OAuthIdpConfig)

Update an Oidc Idp configuration for an Identity Toolkit project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

VerifyDomain

rpc VerifyDomain(VerifyDomainRequest) returns (VerifyDomainResponse)

Verify the requested custom domain has required DNS records.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

TenantManagementService

Tenant management service for GCIP.

CreateTenant

rpc CreateTenant(CreateTenantRequest) returns (Tenant)

Create a tenant. Requires write permission on the Agent project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteTenant

rpc DeleteTenant(DeleteTenantRequest) returns (Empty)

Delete a tenant. Requires write permission on the Agent project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetTenant

rpc GetTenant(GetTenantRequest) returns (Tenant)

Get a tenant. Requires read permission on the Tenant resource.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListTenants

rpc ListTenants(ListTenantsRequest) returns (ListTenantsResponse)

List tenants under the given agent project. Requires read permission on the Agent project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateTenant

rpc UpdateTenant(UpdateTenantRequest) returns (Tenant)

Update a tenant. Requires write permission on the Tenant resource.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/firebase
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

BlockingFunctionsConfig

Configuration related to Blocking Functions.

Fields
triggers

map<string, Trigger>

Map of Trigger to event type. Key should be one of the supported event types: "beforeCreate", "beforeSignIn"

forward_inbound_credentials

ForwardInboundCredentials

The user credentials to include in the JWT payload that is sent to the registered Blocking Functions.

Trigger

Synchronous Cloud Function with HTTP Trigger

Fields
function_uri

string

HTTP URI trigger for the Cloud Function.

update_time

Timestamp

When the trigger was changed.

ClientConfig

Options related to how clients making requests on behalf of a project should be configured.

Fields
api_key

string

Output only. API key that can be used when making requests for this project.

permissions

Permissions

Configuration related to restricting a user's ability to affect their account.

firebase_subdomain

string

Output only. Firebase subdomain.

Permissions

Configuration related to restricting a user's ability to affect their account.

Fields
disabled_user_signup

bool

When true, end users cannot sign up for a new account on the associated project through any of our API methods

disabled_user_deletion

bool

When true, end users cannot delete their account on the associated project through any of our API methods

ClientPermissionConfig

Options related to how clients making requests on behalf of a tenant should be configured.

Fields
permissions

ClientPermissions

Configuration related to restricting a user's ability to affect their account.

ClientPermissions

Configuration related to restricting a user's ability to affect their account.

Fields
disabled_user_signup

bool

When true, end users cannot sign up for a new account on the associated project through any of our API methods

disabled_user_deletion

bool

When true, end users cannot delete their account on the associated project through any of our API methods

Config

Represents an Identity Toolkit project.

Fields
name

string

Output only. The name of the Config resource. Example: "projects/my-awesome-project/config"

sign_in

SignInConfig

Configuration related to local sign in methods.

notification

NotificationConfig

Configuration related to sending notifications to users.

quota

QuotaConfig

Configuration related to quotas.

monitoring

MonitoringConfig

Configuration related to monitoring project activity.

multi_tenant

MultiTenantConfig

Configuration related to multi-tenant functionality.

authorized_domains[]

string

List of domains authorized for OAuth redirects

subtype

Subtype

Output only. The subtype of this config.

client

ClientConfig

Options related to how clients making requests on behalf of a project should be configured.

mfa

MultiFactorAuthConfig

Configuration for this project's multi-factor authentication, including whether it is active and what factors can be used for the second factor

blocking_functions

BlockingFunctionsConfig

Configuration related to blocking functions.

recaptcha_config

RecaptchaConfig

The project-level reCAPTCHA config.

sms_region_config

SmsRegionConfig

Configures which regions are enabled for SMS verification code sending.

autodelete_anonymous_users

bool

Whether anonymous users will be auto-deleted after a period of 30 days.

password_policy_config

PasswordPolicyConfig

The project level password policy configuration.

email_privacy_config

EmailPrivacyConfig

Configuration for settings related to email privacy and public visibility.

Subtype

The subtype of this config.

Enums
SUBTYPE_UNSPECIFIED Default value. Do not use.
IDENTITY_PLATFORM An Identity Platform project.
FIREBASE_AUTH A Firebase Authentication project.

CreateDefaultSupportedIdpConfigRequest

Request for CreateDefaultSupportedIdpConfig

Fields
parent

string

The parent resource name where the config to be created, for example: "projects/my-awesome-project"

Authorization requires the following IAM permission on the specified resource parent:

  • firebaseauth.configs.update
idp_id

string

The id of the Idp to create a config for. Call ListDefaultSupportedIdps for list of all default supported Idps.

default_supported_idp_config

DefaultSupportedIdpConfig

The config resource which replaces the resource on the server.

CreateInboundSamlConfigRequest

Request for CreateInboundSamlConfig

Fields
parent

string

The parent resource name where the config to be created, for example: "projects/my-awesome-project"

Authorization requires the following IAM permission on the specified resource parent:

  • firebaseauth.configs.update
inbound_saml_config_id

string

The id to use for this config.

inbound_saml_config

InboundSamlConfig

The config resource to create. Client must not set the InboundSamlConfig.name field and server will ignore the field value if it is set by clients.

CreateOAuthIdpConfigRequest

Request for CreateOAuthIdpConfig

Fields
parent

string

The parent resource name where the config to be created, for example: "projects/my-awesome-project"

Authorization requires the following IAM permission on the specified resource parent:

  • firebaseauth.configs.update
oauth_idp_config_id

string

The id to use for this config.

oauth_idp_config

OAuthIdpConfig

The config resource to create. Client must not set the OAuthIdpConfig.name field and server will ignore the field value if it is set by clients.

CreateTenantRequest

Request message for CreateTenant.

Fields
parent

string

The parent resource name where the tenant will be created. For example, "projects/project1".

Authorization requires the following IAM permission on the specified resource parent:

  • identitytoolkit.tenants.create
tenant

Tenant

Required. Tenant to be created.

DefaultSupportedIdp

Standard Identity Toolkit-trusted IDPs.

Fields
idp_id

string

Id the of Idp

description

string

Description of the Idp

DefaultSupportedIdpConfig

Configurations options for authenticating with a the standard set of Identity Toolkit-trusted IDPs.

Fields
name

string

The name of the DefaultSupportedIdpConfig resource, for example: "projects/my-awesome-project/defaultSupportedIdpConfigs/google.com"

enabled

bool

True if allows the user to sign in with the provider.

client_id

string

OAuth client ID.

client_secret

string

OAuth client secret.

Union field idp_specific_config. IDP settings that are specific to one type of sign-in. idp_specific_config can be only one of the following:
apple_sign_in_config

AppleSignInConfig

Additional config for Apple-based projects.

AppleSignInConfig

Additional config for SignInWithApple.

Fields
code_flow_config

CodeFlowConfig

bundle_ids[]

string

A list of Bundle ID's usable by this project

CodeFlowConfig

Additional config for Apple for code flow.

Fields
team_id

string

Apple Developer Team ID.

key_id

string

Key ID for the private key.

private_key

string

Private key used for signing the client secret JWT.

DeleteDefaultSupportedIdpConfigRequest

Request for DeleteDefaultSupportedIdpConfig

Fields
name

string

The resource name of the config, for example: "projects/my-awesome-project/defaultSupportedIdpConfigs/google.com"

Authorization requires the following IAM permission on the specified resource name:

  • firebaseauth.configs.update

DeleteInboundSamlConfigRequest

Request for DeleteInboundSamlConfig

Fields
name

string

The resource name of the config to be deleted, for example: 'projects/my-awesome-project/inboundSamlConfigs/my-config-id'.

Authorization requires the following IAM permission on the specified resource name:

  • firebaseauth.configs.update

DeleteOAuthIdpConfigRequest

Request for DeleteOAuthIdpConfig

Fields
name

string

The resource name of the config to be deleted, for example: 'projects/my-awesome-project/oauthIdpConfigs/oauth-config-id'.

Authorization requires the following IAM permission on the specified resource name:

  • firebaseauth.configs.update

DeleteTenantRequest

Request message for DeleteTenant.

Fields
name

string

Resource name of the tenant to delete.

Authorization requires the following IAM permission on the specified resource name:

  • identitytoolkit.tenants.delete

EmailPrivacyConfig

Configuration for settings related to email privacy and public visibility. Settings in this config protect against email enumeration, but may make some trade-offs in user-friendliness.

Fields
enable_improved_email_privacy

bool

Migrates the project to a state of improved email privacy. For example certain error codes are more generic to avoid giving away information on whether the account exists. In addition, this disables certain features that as a side-effect allow user enumeration. Enabling this toggle disables the fetchSignInMethodsForEmail functionality and changing the user's email to an unverified email. It is recommended to remove dependence on this functionality and enable this toggle to improve user privacy.

ForwardInboundCredentials

Indicates which credentials to pass to the registered Blocking Functions.

Fields
id_token

bool

Whether to pass the user's OIDC identity provider's ID token.

access_token

bool

Whether to pass the user's OAuth identity provider's access token.

refresh_token

bool

Whether to pass the user's OAuth identity provider's refresh token.

GetConfigRequest

Request for GetConfig

Fields
name

string

The resource name of the config, for example: "projects/my-awesome-project/config"

Authorization requires the following IAM permission on the specified resource name:

  • firebaseauth.configs.get

GetDefaultSupportedIdpConfigRequest

Request for GetDefaultSupportedIdpConfig

Fields
name

string

The resource name of the config, for example: "projects/my-awesome-project/defaultSupportedIdpConfigs/google.com"

Authorization requires the following IAM permission on the specified resource name:

  • firebaseauth.configs.get

GetInboundSamlConfigRequest

Request for GetInboundSamlConfig

Fields
name

string

The resource name of the config, for example: 'projects/my-awesome-project/inboundSamlConfigs/my-config-id'.

Authorization requires the following IAM permission on the specified resource name:

  • firebaseauth.configs.get

GetOAuthIdpConfigRequest

Requesst for GetOAuthIdpConfig

Fields
name

string

The resource name of the config, for example: 'projects/my-awesome-project/oauthIdpConfigs/oauth-config-id'.

Authorization requires the following IAM permission on the specified resource name:

  • firebaseauth.configs.get

GetTenantRequest

Request message for GetTenant.

Fields
name

string

Resource name of the tenant to retrieve.

Authorization requires the following IAM permission on the specified resource name:

  • identitytoolkit.tenants.get

HashConfig

History information of the hash algorithm and key. Different accounts' passwords may be generated by different version.

Fields
algorithm

HashAlgorithm

Output only. Different password hash algorithms used in Identity Toolkit.

signer_key

string

Output only. Signer key in base64.

salt_separator

string

Output only. Non-printable character to be inserted between the salt and plain text password in base64.

rounds

int32

Output only. How many rounds for hash calculation. Used by scrypt and other similar password derivation algorithms.

memory_cost

int32

Output only. Memory cost for hash calculation. Used by scrypt and other similar password derivation algorithms. See https://tools.ietf.org/html/rfc7914 for explanation of field.

HashAlgorithm

Different password hash algorithms used in Identity Toolkit.

Enums
HASH_ALGORITHM_UNSPECIFIED Default value. Do not use.
HMAC_SHA256 HMAC_SHA256
HMAC_SHA1 HMAC_SHA1
HMAC_MD5 HMAC_MD5
SCRYPT SCRYPT
PBKDF_SHA1 PBKDF_SHA1
MD5 MD5
HMAC_SHA512 HMAC_SHA512
SHA1 SHA1
BCRYPT BCRYPT
PBKDF2_SHA256 PBKDF2_SHA256
SHA256 SHA256
SHA512 SHA512
STANDARD_SCRYPT STANDARD_SCRYPT

IdpCertificate

The IDP's certificate data to verify the signature in the SAMLResponse issued by the IDP.

Fields
x509_certificate

string

The x509 certificate

InboundSamlConfig

A pair of SAML RP-IDP configurations when the project acts as the relying party.

Fields
name

string

The name of the InboundSamlConfig resource, for example: 'projects/my-awesome-project/inboundSamlConfigs/my-config-id'. Ignored during create requests.

idp_config

IdpConfig

The SAML IdP (Identity Provider) configuration when the project acts as the relying party.

sp_config

SpConfig

The SAML SP (Service Provider) configuration when the project acts as the relying party to receive and accept an authentication assertion issued by a SAML identity provider.

display_name

string

The config's display name set by developers.

enabled

bool

True if allows the user to sign in with the provider.

IdpConfig

The SAML IdP (Identity Provider) configuration when the project acts as the relying party.

Fields
idp_entity_id

string

Unique identifier for all SAML entities.

sso_url

string

URL to send Authentication request to.

idp_certificates[]

IdpCertificate

IDP's public keys for verifying signature in the assertions.

sign_request

bool

Indicates if outbounding SAMLRequest should be signed.

SpConfig

The SAML SP (Service Provider) configuration when the project acts as the relying party to receive and accept an authentication assertion issued by a SAML identity provider.

Fields
sp_entity_id

string

Unique identifier for all SAML entities.

callback_uri

string

Callback URI where responses from IDP are handled.

sp_certificates[]

SpCertificate

Output only. Public certificates generated by the server to verify the signature in SAMLRequest in the SP-initiated flow.

Inheritance

Settings that the tenants will inherit from project level.

Fields
email_sending_config

bool

Whether to allow the tenant to inherit custom domains, email templates, and custom SMTP settings. If true, email sent from tenant will follow the project level email sending configurations. If false (by default), emails will go with the default settings with no customizations.

InitializeIdentityPlatformRequest

Request for InitializeIdentityPlatform.

Fields
project

string

The resource name of the target project the developer wants to enable Identity Platform for.

Authorization requires the following IAM permission on the specified resource project:

  • firebaseauth.configs.create

InitializeIdentityPlatformResponse

This type has no fields.

Response for InitializeIdentityPlatform. Empty for now.

ListDefaultSupportedIdpConfigsRequest

Request for ListDefaultSupportedIdpConfigs

Fields
parent

string

The parent resource name, for example, "projects/my-awesome-project".

Authorization requires the following IAM permission on the specified resource parent:

  • firebaseauth.configs.get
page_size

int32

The maximum number of items to return.

page_token

string

The next_page_token value returned from a previous List request, if any.

ListDefaultSupportedIdpConfigsResponse

Response for DefaultSupportedIdpConfigs

Fields
default_supported_idp_configs[]

DefaultSupportedIdpConfig

The set of configs.

next_page_token

string

Token to retrieve the next page of results, or empty if there are no more results in the list.

ListDefaultSupportedIdpsRequest

Request for ListDefaultSupportedIdps

Fields
page_size

int32

The maximum number of items to return.

page_token

string

The next_page_token value returned from a previous List request, if any.

ListDefaultSupportedIdpsResponse

Response for ListDefaultSupportedIdps

Fields
default_supported_idps[]

DefaultSupportedIdp

The set of configs.

next_page_token

string

Token to retrieve the next page of results, or empty if there are no more results in the list.

ListInboundSamlConfigsRequest

Request for ListInboundSamlConfigs

Fields
parent

string

The parent resource name, for example, "projects/my-awesome-project".

Authorization requires the following IAM permission on the specified resource parent:

  • firebaseauth.configs.get
page_size

int32

The maximum number of items to return.

page_token

string

The next_page_token value returned from a previous List request, if any.

ListInboundSamlConfigsResponse

Response for ListInboundSamlConfigs

Fields
inbound_saml_configs[]

InboundSamlConfig

The set of configs.

next_page_token

string

Token to retrieve the next page of results, or empty if there are no more results in the list.

ListOAuthIdpConfigsRequest

Request for ListOAuthIdpConfigs

Fields
parent

string

The parent resource name, for example, "projects/my-awesome-project".

Authorization requires the following IAM permission on the specified resource parent:

  • firebaseauth.configs.get
page_size

int32

The maximum number of items to return.

page_token

string

The next_page_token value returned from a previous List request, if any.

ListOAuthIdpConfigsResponse

Response for ListOAuthIdpConfigs

Fields
oauth_idp_configs[]

OAuthIdpConfig

The set of configs.

next_page_token

string

Token to retrieve the next page of results, or empty if there are no more results in the list.

ListTenantsRequest

Request message for ListTenants.

Fields
parent

string

Required. The parent resource name to list tenants for.

Authorization requires the following IAM permission on the specified resource parent:

  • identitytoolkit.tenants.list
page_token

string

The pagination token from the response of a previous request.

page_size

int32

The maximum number of results to return, capped at 1000. If not specified, the default value is 20.

ListTenantsResponse

Response message for ListTenants.

Fields
tenants[]

Tenant

A list of tenants under the given agent project.

next_page_token

string

The token to get the next page of results.

MfaState

Whether MultiFactor Authentication has been enabled for this project.

Enums
MFA_STATE_UNSPECIFIED Illegal State, should not be used.
DISABLED Multi-factor authentication cannot be used for this project.
ENABLED Multi-factor authentication can be used for this project.
MANDATORY Multi-factor authentication is required for this project. Users from this project must authenticate with the second factor.

MonitoringConfig

Configuration related to monitoring project activity.

Fields
request_logging

RequestLogging

Configuration for logging requests made to this project to Stackdriver Logging

RequestLogging

Configuration for logging requests made to this project to Stackdriver Logging

Fields
enabled

bool

Whether logging is enabled for this project or not.

MultiFactorAuthConfig

Options related to MultiFactor Authentication for the project.

Fields
state

State

Whether MultiFactor Authentication has been enabled for this project.

enabled_providers[]

Provider

A list of usable second factors for this project.

provider_configs[]

ProviderConfig

A list of usable second factors for this project along with their configurations. This field does not support phone based MFA, for that use the 'enabled_providers' field.

Provider

A list of usable second factors for this project.

Enums
PROVIDER_UNSPECIFIED Illegal Provider, should not be used
PHONE_SMS SMS is enabled as a second factor for this project.

State

Whether MultiFactor Authentication has been enabled for this project.

Enums
STATE_UNSPECIFIED Illegal State, should not be used.
DISABLED Multi-factor authentication cannot be used for this project
ENABLED Multi-factor authentication can be used for this project
MANDATORY Multi-factor authentication is required for this project. Users from this project must authenticate with the second factor.

MultiTenantConfig

Configuration related to multi-tenant functionality.

Fields
allow_tenants

bool

Whether this project can have tenants or not.

default_tenant_location

string

The default cloud parent org or folder that the tenant project should be created under. The parent resource name should be in the format of "/", such as "folders/123" or "organizations/456". If the value is not set, the tenant will be created under the same organization or folder as the agent project.

NotificationConfig

Configuration related to sending notifications to users.

Fields
send_email

SendEmail

Options for email sending.

send_sms

SendSms

Options for SMS sending.

default_locale

string

Default locale used for email and SMS in IETF BCP 47 format.

SendEmail

Options for email sending.

Fields
method

Method

The method used for sending an email.

reset_password_template

EmailTemplate

Email template for reset password

verify_email_template

EmailTemplate

Email template for verify email

change_email_template

EmailTemplate

Email template for change email

legacy_reset_password_template

EmailTemplate

Reset password email template for legacy Firebase V1 app.

callback_uri

string

action url in email template.

dns_info

DnsInfo

Information of custom domain DNS verification.

revert_second_factor_addition_template

EmailTemplate

Email template for reverting second factor addition emails

Union field email_provider_config. Email provider configuration used to send emails email_provider_config can be only one of the following:
smtp

Smtp

Use a custom SMTP relay

DnsInfo

Information of custom domain DNS verification. By default, default_domain will be used. A custom domain can be configured using VerifyCustomDomain.

Fields
custom_domain

string

Output only. The applied verified custom domain.

use_custom_domain

bool

Whether to use custom domain.

pending_custom_domain

string

Output only. The custom domain that's to be verified.

custom_domain_state

VerificationState

Output only. The current verification state of the custom domain. The custom domain will only be used once the domain verification is successful.

domain_verification_request_time

Timestamp

Output only. The timestamp of initial request for the current domain verification.

VerificationState

The current verification state of the custom domain.

Enums
VERIFICATION_STATE_UNSPECIFIED Default value. Do not use.
NOT_STARTED The verification has not started.
IN_PROGRESS The verification is in progress.
FAILED The verification failed.
SUCCEEDED The verification succeeded and is ready to be applied.

EmailTemplate

Email template. The subject and body fields can contain the following placeholders which will be replaced with the appropriate values: %LINK% - The link to use to redeem the send OOB code. %EMAIL% - The email where the email is being sent. %NEW_EMAIL% - The new email being set for the account (when applicable). %APP_NAME% - The Google Cloud project's display name. %DISPLAY_NAME% - The user's display name.

Fields
sender_local_part

string

Local part of From address

subject

string

Subject of the email

sender_display_name

string

Sender display name

body

string

Email body

body_format

BodyFormat

Email body format

reply_to

string

Reply-to address

customized

bool

Output only. Whether the body or subject of the email is customized.

BodyFormat

Email body format

Enums
BODY_FORMAT_UNSPECIFIED Default value. Do not use.
PLAIN_TEXT Plain text
HTML HTML

Method

The method used for sending an email.

Enums
METHOD_UNSPECIFIED Email method unspecified.
DEFAULT Sending email on behalf of developer.
CUSTOM_SMTP Sending email using SMTP configuration provided by developers.

Smtp

Configuration for SMTP relay

Fields
sender_email

string

Sender email for the SMTP relay

host

string

SMTP relay host

port

int32

SMTP relay port

username

string

SMTP relay username

password

string

SMTP relay password

security_mode

SecurityMode

SMTP security mode.

SecurityMode

SMTP security mode.

Enums
SECURITY_MODE_UNSPECIFIED Default value. Do not use.
SSL SSL mode
START_TLS START_TLS mode

SendSms

Options for SMS sending.

Fields
use_device_locale

bool

Whether to use the accept_language header for SMS.

sms_template

SmsTemplate

Output only. The template to use when sending an SMS.

SmsTemplate

The template to use when sending an SMS.

Fields
content

string

Output only. The SMS's content. Can contain the following placeholders which will be replaced with the appropriate values: %APP_NAME% - For Android or iOS apps, the app's display name. For web apps, the domain hosting the application. %LOGIN_CODE% - The OOB code being sent in the SMS.

OAuthIdpConfig

Configuration options for authenticating with an OAuth IDP.

Fields
name

string

The name of the OAuthIdpConfig resource, for example: 'projects/my-awesome-project/oauthIdpConfigs/oauth-config-id'. Ignored during create requests.

client_id

string

The client id of an OAuth client.

issuer

string

For OIDC Idps, the issuer identifier.

display_name

string

The config's display name set by developers.

enabled

bool

True if allows the user to sign in with the provider.

client_secret

string

The client secret of the OAuth client, to enable OIDC code flow.

response_type

OAuthResponseType

The response type to request for in the OAuth authorization flow. You can set either id_token or code to true, but not both. Setting both types to be simultaneously true ({code: true, id_token: true}) is not yet supported.

OAuthResponseType

The response type to request for in the OAuth authorization flow. You can set either id_token or code to true, but not both. Setting both types to be simultaneously true ({code: true, id_token: true}) is not yet supported.

See https://openid.net/specs/openid-connect-core-1_0.html#Authentication for a mapping of response type to OAuth 2.0 flow.

Fields
id_token

bool

If true, ID token is returned from IdP's authorization endpoint.

code

bool

If true, authorization code is returned from IdP's authorization endpoint.

token
(deprecated)

bool

Do not use. The token response type is not supported at the moment.

PasswordPolicyConfig

The configuration for the password policy on the project.

Fields
password_policy_enforcement_state

PasswordPolicyEnforcementState

Which enforcement mode to use for the password policy.

password_policy_versions[]

PasswordPolicyVersion

Must be of length 1. Contains the strength attributes for the password policy.

force_upgrade_on_signin

bool

Users must have a password compliant with the password policy to sign-in.

last_update_time

Timestamp

Output only. The last time the password policy on the project was updated.

PasswordPolicyEnforcementState

Enforcement state for the password policy

Enums
PASSWORD_POLICY_ENFORCEMENT_STATE_UNSPECIFIED Illegal State, should not be used.
OFF Password Policy will not be used on the project.
ENFORCE Passwords non-compliant with the password policy will be rejected with an error thrown.

PasswordPolicyVersion

The strength attributes for the password policy on the project.

Fields
custom_strength_options

CustomStrengthOptions

The custom strength options enforced by the password policy.

schema_version

int32

Output only. schema version number for the password policy

CustomStrengthOptions

Custom strength options to enforce on user passwords.

Fields
min_password_length

int32

Minimum password length. Range from 6 to 30

max_password_length

int32

Maximum password length. No default max length

contains_lowercase_character

bool

The password must contain a lower case character.

contains_uppercase_character

bool

The password must contain an upper case character.

contains_numeric_character

bool

The password must contain a number.

contains_non_alphanumeric_character

bool

The password must contain a non alpha numeric character.

ProviderConfig

ProviderConfig describes the supported MFA providers along with their configurations.

Fields
state

MfaState

Describes the state of the MultiFactor Authentication type.

Union field mfa_provider_config.

mfa_provider_config can be only one of the following:

totp_provider_config

TotpMfaProviderConfig

TOTP MFA provider config for this project.

QuotaConfig

Configuration related to quotas.

Fields
sign_up_quota_config

TemporaryQuota

Quota for the Signup endpoint, if overwritten. Signup quota is measured in sign ups per project per hour per IP.

TemporaryQuota

Temporary quota increase / decrease

Fields
quota

int64

Corresponds to the 'refill_token_count' field in QuotaServer config

start_time

Timestamp

When this quota will take effect

quota_duration

Duration

How long this quota will be active for

RecaptchaConfig

The reCAPTCHA Enterprise integration config.

Fields
managed_rules[]

RecaptchaManagedRule

The managed rules for authentication action based on reCAPTCHA scores. The rules are shared across providers for a given tenant project.

recaptcha_keys[]

RecaptchaKey

The reCAPTCHA keys.

email_password_enforcement_state

RecaptchaProviderEnforcementState

The reCAPTCHA config for email/password provider, containing the enforcement status. The email/password provider contains all related user flows protected by reCAPTCHA.

use_account_defender

bool

Whether to use the account defender for reCAPTCHA assessment. Defaults to false.

RecaptchaProviderEnforcementState

Enforcement states for reCAPTCHA protection.

Enums
RECAPTCHA_PROVIDER_ENFORCEMENT_STATE_UNSPECIFIED Enforcement state has not been set.
OFF Unenforced.
AUDIT reCAPTCHA assessment is created, result is not used to enforce.
ENFORCE reCAPTCHA assessment is created, result is used to enforce.

RecaptchaKey

The reCAPTCHA key config. reCAPTCHA Enterprise offers different keys for different client platforms.

Fields
key

string

The reCAPTCHA Enterprise key resource name, e.g. "projects/{project}/keys/{key}"

type

RecaptchaKeyClientType

The client's platform type.

RecaptchaKeyClientType

The different clients that reCAPTCHA Enterprise keys support.

Enums
CLIENT_TYPE_UNSPECIFIED Client type is not specified.
WEB Client type is web.
IOS Client type is iOS.
ANDROID Client type is Android.

RecaptchaManagedRule

The config for a reCAPTCHA managed rule. Models a single interval [start_score, end_score]. The start_score is implicit. It is either the closest smaller end_score (if one is available) or 0. Intervals in aggregate span [0, 1] without overlapping.

Fields
end_score

float

The end score (inclusive) of the score range for an action. Must be a value between 0.0 and 1.0, at 11 discrete values; e.g. 0, 0.1, 0.2, 0.3, ... 0.9, 1.0. A score of 0.0 indicates the riskiest request (likely a bot), whereas 1.0 indicates the safest request (likely a human). See https://cloud.google.com/recaptcha-enterprise/docs/interpret-assessment.

action

RecaptchaAction

The action taken if the reCAPTCHA score of a request is within the interval [start_score, end_score].

RecaptchaAction

The actions for reCAPTCHA-protected requests.

Enums
RECAPTCHA_ACTION_UNSPECIFIED The reCAPTCHA action is not specified.
BLOCK The reCAPTCHA-protected request will be blocked.

SignInConfig

Configuration related to local sign in methods.

Fields
email

Email

Configuration options related to authenticating a user by their email address.

phone_number

PhoneNumber

Configuration options related to authenticated a user by their phone number.

anonymous

Anonymous

Configuration options related to authenticating an anonymous user.

allow_duplicate_emails

bool

Whether to allow more than one account to have the same email.

hash_config

HashConfig

Output only. Hash config information.

Anonymous

Configuration options related to authenticating an anonymous user.

Fields
enabled

bool

Whether anonymous user auth is enabled for the project or not.

Email

Configuration options related to authenticating a user by their email address.

Fields
enabled

bool

Whether email auth is enabled for the project or not.

password_required

bool

Whether a password is required for email auth or not. If true, both an email and password must be provided to sign in. If false, a user may sign in via either email/password or email link.

PhoneNumber

Configuration options related to authenticated a user by their phone number.

Fields
enabled

bool

Whether phone number auth is enabled for the project or not.

test_phone_numbers

map<string, string>

A map of <test phone number, fake code> that can be used for phone auth testing.

SmsRegionConfig

Configures the regions where users are allowed to send verification SMS for the project or tenant. This is based on the calling code of the destination phone number.

Fields
Union field sms_region_policy. A policy for where users are allowed to send verification SMS. This can be to allow all regions by default or to allow regions only by explicit allowlist. sms_region_policy can be only one of the following:
allow_by_default

AllowByDefault

A policy of allowing SMS to every region by default and adding disallowed regions to a disallow list.

allowlist_only

AllowlistOnly

A policy of only allowing regions by explicitly adding them to an allowlist.

AllowByDefault

Defines a policy of allowing every region by default and adding disallowed regions to a disallow list.

Fields
disallowed_regions[]

string

Two letter unicode region codes to disallow as defined by https://cldr.unicode.org/ The full list of these region codes is here: https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json

AllowlistOnly

Defines a policy of only allowing regions by explicitly adding them to an allowlist.

Fields
allowed_regions[]

string

Two letter unicode region codes to allow as defined by https://cldr.unicode.org/ The full list of these region codes is here: https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json

SpCertificate

The SP's certificate data for IDP to verify the SAMLRequest generated by the SP.

Fields
x509_certificate

string

Self-signed public certificate.

expires_at

Timestamp

Timestamp of the cert expiration instance.

Tenant

A Tenant contains configuration for the tenant in a multi-tenant project.

Fields
name

string

Output only. Resource name of a tenant. For example: "projects/{project-id}/tenants/{tenant-id}"

display_name

string

Display name of the tenant.

allow_password_signup

bool

Whether to allow email/password user authentication.

disable_auth

bool

Whether authentication is disabled for the tenant. If true, the users under the disabled tenant are not allowed to sign-in. Admins of the disabled tenant are not able to manage its users.

hash_config

HashConfig

Output only. Hash config information of a tenant for display on Pantheon. This can only be displayed on Pantheon to avoid the sensitive information to get accidentally leaked. Only returned in GetTenant response to restrict reading of this information. Requires firebaseauth.configs.getHashConfig permission on the agent project for returning this field.

enable_anonymous_user

bool

Whether to enable anonymous user authentication.

mfa_config

MultiFactorAuthConfig

The tenant-level configuration of MFA options.

test_phone_numbers

map<string, string>

A map of <test phone number, fake code> pairs that can be used for MFA. The phone number should be in E.164 format (https://www.itu.int/rec/T-REC-E.164/) and a maximum of 10 pairs can be added (error will be thrown once exceeded).

inheritance

Inheritance

Specify the settings that the tenant could inherit.

recaptcha_config

RecaptchaConfig

The tenant-level reCAPTCHA config.

sms_region_config

SmsRegionConfig

Configures which regions are enabled for SMS verification code sending.

autodelete_anonymous_users

bool

Whether anonymous users will be auto-deleted after a period of 30 days.

monitoring

MonitoringConfig

Configuration related to monitoring project activity.

password_policy_config

PasswordPolicyConfig

The tenant-level password policy config

email_privacy_config

EmailPrivacyConfig

Configuration for settings related to email privacy and public visibility.

client

ClientPermissionConfig

Options related to how clients making requests on behalf of a project should be configured.

TotpMfaProviderConfig

TotpMFAProviderConfig represents the TOTP based MFA provider.

Fields
adjacent_intervals

int32

The allowed number of adjacent intervals that will be used for verification to avoid clock skew.

UpdateConfigRequest

Request for UpdateConfig

Fields
config

Config

The config resource which replaces the resource on the server.

Authorization requires the following IAM permission on the specified resource config:

  • firebaseauth.configs.update
update_mask

FieldMask

The update mask applies to the resource. Fields set in the config but not included in this update mask will be ignored. For the FieldMask definition, see https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask

UpdateDefaultSupportedIdpConfigRequest

Request for UpdateDefaultSupportedIdpConfig

Fields
default_supported_idp_config

DefaultSupportedIdpConfig

The config resource which replaces the resource on the server.

Authorization requires the following IAM permission on the specified resource defaultSupportedIdpConfig:

  • firebaseauth.configs.update
update_mask

FieldMask

The update mask applies to the resource. For the FieldMask definition, see https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask

UpdateInboundSamlConfigRequest

Request for UpdateInboundSamlConfig

Fields
inbound_saml_config

InboundSamlConfig

The config resource which replaces the resource on the server.

Authorization requires the following IAM permission on the specified resource inboundSamlConfig:

  • firebaseauth.configs.update
update_mask

FieldMask

The update mask applies to the resource. Empty update mask will result in updating nothing. For the FieldMask definition, see https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask

UpdateOAuthIdpConfigRequest

Request for UpdateOAuthIdpConfig

Fields
oauth_idp_config

OAuthIdpConfig

The config resource which replaces the resource on the server.

Authorization requires the following IAM permission on the specified resource oauthIdpConfig:

  • firebaseauth.configs.update
update_mask

FieldMask

The update mask applies to the resource. Empty update mask will result in updating nothing. For the FieldMask definition, see https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask

UpdateTenantRequest

Request message for UpdateTenant.

Fields
tenant

Tenant

Required. Tenant to be updated.

Authorization requires the following IAM permission on the specified resource tenant:

  • identitytoolkit.tenants.update
update_mask

FieldMask

If provided, only update fields set in the update mask. Otherwise, all settable fields will be updated. For the FieldMask definition, see https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask

VerifyDomainRequest

Request message to verify the requested custom domain has required DNS records.

Fields
resource

string

The name of the resource to verify the domain of. This method currently accepts verifying domains for either projects (example 'projects/my-awesome-project') or tenants (example 'projects/my-awesome-project/tenants/my-awesome-tenant').

Authorization requires the following IAM permission on the specified resource resource:

  • firebaseauth.configs.update
domain

string

The target domain of this request.

action

DomainVerificationAction

The action being attempted on the given domain.

DomainVerificationAction

The action being attempted on the given domain.

Enums
DOMAIN_VERIFICATION_ACTION_UNSPECIFIED Default value. Do not use.
VERIFY Verify the domain in request.
CANCEL Cancel the current verification process.
APPLY Apply the custom domain in email sending.

VerifyDomainResponse

Response for VerifyDomain request.

Fields
verification_state

VerificationState

The resulting state for the given domain after this request is processed.

verification_error

string

When applicable, a textual explanation for why the domain wasn't enable to be verified.