Documentation ¶
Overview ¶
Package auth contains functions for minting custom authentication tokens, verifying Firebase ID tokens, and managing users in a Firebase project.
Index ¶
- func IsCertificateFetchFailed(err error) bool
- func IsConfigurationNotFound(err error) bool
- func IsEmailAlreadyExists(err error) bool
- func IsEmailNotFound(err error) bool
- func IsIDTokenExpired(err error) bool
- func IsIDTokenInvalid(err error) bool
- func IsIDTokenRevoked(err error) bool
- func IsInsufficientPermission(err error) bool
- func IsInvalidDynamicLinkDomain(err error) bool
- func IsInvalidEmail(err error) bool
- func IsPhoneNumberAlreadyExists(err error) bool
- func IsProjectNotFound(err error) bool
- func IsSessionCookieExpired(err error) bool
- func IsSessionCookieInvalid(err error) bool
- func IsSessionCookieRevoked(err error) bool
- func IsTenantIDMismatch(err error) bool
- func IsTenantNotFound(err error) bool
- func IsUIDAlreadyExists(err error) bool
- func IsUnauthorizedContinueURI(err error) bool
- func IsUnknown(err error) bool
- func IsUserDisabled(err error) bool
- func IsUserNotFound(err error) bool
- type ActionCodeSettings
- type Client
- func (c Client) CreateOIDCProviderConfig(ctx context.Context, config *OIDCProviderConfigToCreate) (*OIDCProviderConfig, error)
- func (c Client) CreateSAMLProviderConfig(ctx context.Context, config *SAMLProviderConfigToCreate) (*SAMLProviderConfig, error)
- func (c Client) CreateUser(ctx context.Context, user *UserToCreate) (*UserRecord, error)
- func (c Client) CustomToken(ctx context.Context, uid string) (string, error)
- func (c Client) CustomTokenWithClaims(ctx context.Context, uid string, devClaims map[string]interface{}) (string, error)
- func (c Client) DeleteOIDCProviderConfig(ctx context.Context, id string) error
- func (c Client) DeleteSAMLProviderConfig(ctx context.Context, id string) error
- func (c Client) DeleteUser(ctx context.Context, uid string) error
- func (c Client) DeleteUsers(ctx context.Context, uids []string) (*DeleteUsersResult, error)
- func (c Client) EmailSignInLink(ctx context.Context, email string, settings *ActionCodeSettings) (string, error)
- func (c Client) EmailVerificationLink(ctx context.Context, email string) (string, error)
- func (c Client) EmailVerificationLinkWithSettings(ctx context.Context, email string, settings *ActionCodeSettings) (string, error)
- func (c Client) GetUser(ctx context.Context, uid string) (*UserRecord, error)
- func (c Client) GetUserByEmail(ctx context.Context, email string) (*UserRecord, error)
- func (c Client) GetUserByPhoneNumber(ctx context.Context, phone string) (*UserRecord, error)
- func (c Client) GetUserByProviderID(ctx context.Context, providerID string, providerUID string) (*UserRecord, error)
- func (c Client) GetUserByProviderUID(ctx context.Context, providerID string, providerUID string) (*UserRecord, error)
- func (c Client) GetUsers(ctx context.Context, identifiers []UserIdentifier) (*GetUsersResult, error)
- func (c Client) ImportUsers(ctx context.Context, users []*UserToImport, opts ...UserImportOption) (*UserImportResult, error)
- func (c Client) OIDCProviderConfig(ctx context.Context, id string) (*OIDCProviderConfig, error)
- func (c Client) OIDCProviderConfigs(ctx context.Context, nextPageToken string) *OIDCProviderConfigIterator
- func (c Client) PasswordResetLink(ctx context.Context, email string) (string, error)
- func (c Client) PasswordResetLinkWithSettings(ctx context.Context, email string, settings *ActionCodeSettings) (string, error)
- func (c Client) RevokeRefreshTokens(ctx context.Context, uid string) error
- func (c Client) SAMLProviderConfig(ctx context.Context, id string) (*SAMLProviderConfig, error)
- func (c Client) SAMLProviderConfigs(ctx context.Context, nextPageToken string) *SAMLProviderConfigIterator
- func (c *Client) SessionCookie(ctx context.Context, idToken string, expiresIn time.Duration) (string, error)
- func (c Client) SetCustomUserClaims(ctx context.Context, uid string, customClaims map[string]interface{}) error
- func (c Client) UpdateOIDCProviderConfig(ctx context.Context, id string, config *OIDCProviderConfigToUpdate) (*OIDCProviderConfig, error)
- func (c Client) UpdateSAMLProviderConfig(ctx context.Context, id string, config *SAMLProviderConfigToUpdate) (*SAMLProviderConfig, error)
- func (c Client) UpdateUser(ctx context.Context, uid string, user *UserToUpdate) (ur *UserRecord, err error)
- func (c Client) Users(ctx context.Context, nextPageToken string) *UserIterator
- func (c Client) VerifyIDToken(ctx context.Context, idToken string) (*Token, error)
- func (c Client) VerifyIDTokenAndCheckRevoked(ctx context.Context, idToken string) (*Token, error)
- func (c *Client) VerifySessionCookie(ctx context.Context, sessionCookie string) (*Token, error)
- func (c *Client) VerifySessionCookieAndCheckRevoked(ctx context.Context, sessionCookie string) (*Token, error)
- type DeleteUsersErrorInfo
- type DeleteUsersResult
- type EmailIdentifier
- type ErrorInfo
- type ExportedUserRecord
- type FirebaseInfo
- type GetUsersResult
- type MultiFactorInfo
- type MultiFactorSettings
- type OIDCProviderConfig
- type OIDCProviderConfigIterator
- type OIDCProviderConfigToCreate
- func (config *OIDCProviderConfigToCreate) ClientID(clientID string) *OIDCProviderConfigToCreate
- func (config *OIDCProviderConfigToCreate) ClientSecret(secret string) *OIDCProviderConfigToCreate
- func (config *OIDCProviderConfigToCreate) CodeResponseType(enabled bool) *OIDCProviderConfigToCreate
- func (config *OIDCProviderConfigToCreate) DisplayName(name string) *OIDCProviderConfigToCreate
- func (config *OIDCProviderConfigToCreate) Enabled(enabled bool) *OIDCProviderConfigToCreate
- func (config *OIDCProviderConfigToCreate) ID(id string) *OIDCProviderConfigToCreate
- func (config *OIDCProviderConfigToCreate) IDTokenResponseType(enabled bool) *OIDCProviderConfigToCreate
- func (config *OIDCProviderConfigToCreate) Issuer(issuer string) *OIDCProviderConfigToCreate
- type OIDCProviderConfigToUpdate
- func (config *OIDCProviderConfigToUpdate) ClientID(clientID string) *OIDCProviderConfigToUpdate
- func (config *OIDCProviderConfigToUpdate) ClientSecret(secret string) *OIDCProviderConfigToUpdate
- func (config *OIDCProviderConfigToUpdate) CodeResponseType(enabled bool) *OIDCProviderConfigToUpdate
- func (config *OIDCProviderConfigToUpdate) DisplayName(name string) *OIDCProviderConfigToUpdate
- func (config *OIDCProviderConfigToUpdate) Enabled(enabled bool) *OIDCProviderConfigToUpdate
- func (config *OIDCProviderConfigToUpdate) IDTokenResponseType(enabled bool) *OIDCProviderConfigToUpdate
- func (config *OIDCProviderConfigToUpdate) Issuer(issuer string) *OIDCProviderConfigToUpdate
- type PhoneIdentifier
- type ProviderIdentifier
- type SAMLProviderConfig
- type SAMLProviderConfigIterator
- type SAMLProviderConfigToCreate
- func (config *SAMLProviderConfigToCreate) CallbackURL(url string) *SAMLProviderConfigToCreate
- func (config *SAMLProviderConfigToCreate) DisplayName(name string) *SAMLProviderConfigToCreate
- func (config *SAMLProviderConfigToCreate) Enabled(enabled bool) *SAMLProviderConfigToCreate
- func (config *SAMLProviderConfigToCreate) ID(id string) *SAMLProviderConfigToCreate
- func (config *SAMLProviderConfigToCreate) IDPEntityID(entityID string) *SAMLProviderConfigToCreate
- func (config *SAMLProviderConfigToCreate) RPEntityID(entityID string) *SAMLProviderConfigToCreate
- func (config *SAMLProviderConfigToCreate) RequestSigningEnabled(enabled bool) *SAMLProviderConfigToCreate
- func (config *SAMLProviderConfigToCreate) SSOURL(url string) *SAMLProviderConfigToCreate
- func (config *SAMLProviderConfigToCreate) X509Certificates(certs []string) *SAMLProviderConfigToCreate
- type SAMLProviderConfigToUpdate
- func (config *SAMLProviderConfigToUpdate) CallbackURL(url string) *SAMLProviderConfigToUpdate
- func (config *SAMLProviderConfigToUpdate) DisplayName(name string) *SAMLProviderConfigToUpdate
- func (config *SAMLProviderConfigToUpdate) Enabled(enabled bool) *SAMLProviderConfigToUpdate
- func (config *SAMLProviderConfigToUpdate) IDPEntityID(entityID string) *SAMLProviderConfigToUpdate
- func (config *SAMLProviderConfigToUpdate) RPEntityID(entityID string) *SAMLProviderConfigToUpdate
- func (config *SAMLProviderConfigToUpdate) RequestSigningEnabled(enabled bool) *SAMLProviderConfigToUpdate
- func (config *SAMLProviderConfigToUpdate) SSOURL(url string) *SAMLProviderConfigToUpdate
- func (config *SAMLProviderConfigToUpdate) X509Certificates(certs []string) *SAMLProviderConfigToUpdate
- type Tenant
- type TenantClient
- func (c TenantClient) CreateOIDCProviderConfig(ctx context.Context, config *OIDCProviderConfigToCreate) (*OIDCProviderConfig, error)
- func (c TenantClient) CreateSAMLProviderConfig(ctx context.Context, config *SAMLProviderConfigToCreate) (*SAMLProviderConfig, error)
- func (c TenantClient) CreateUser(ctx context.Context, user *UserToCreate) (*UserRecord, error)
- func (c TenantClient) CustomToken(ctx context.Context, uid string) (string, error)
- func (c TenantClient) CustomTokenWithClaims(ctx context.Context, uid string, devClaims map[string]interface{}) (string, error)
- func (c TenantClient) DeleteOIDCProviderConfig(ctx context.Context, id string) error
- func (c TenantClient) DeleteSAMLProviderConfig(ctx context.Context, id string) error
- func (c TenantClient) DeleteUser(ctx context.Context, uid string) error
- func (c TenantClient) DeleteUsers(ctx context.Context, uids []string) (*DeleteUsersResult, error)
- func (c TenantClient) EmailSignInLink(ctx context.Context, email string, settings *ActionCodeSettings) (string, error)
- func (c TenantClient) EmailVerificationLink(ctx context.Context, email string) (string, error)
- func (c TenantClient) EmailVerificationLinkWithSettings(ctx context.Context, email string, settings *ActionCodeSettings) (string, error)
- func (c TenantClient) GetUser(ctx context.Context, uid string) (*UserRecord, error)
- func (c TenantClient) GetUserByEmail(ctx context.Context, email string) (*UserRecord, error)
- func (c TenantClient) GetUserByPhoneNumber(ctx context.Context, phone string) (*UserRecord, error)
- func (c TenantClient) GetUserByProviderID(ctx context.Context, providerID string, providerUID string) (*UserRecord, error)
- func (c TenantClient) GetUserByProviderUID(ctx context.Context, providerID string, providerUID string) (*UserRecord, error)
- func (c TenantClient) GetUsers(ctx context.Context, identifiers []UserIdentifier) (*GetUsersResult, error)
- func (c TenantClient) ImportUsers(ctx context.Context, users []*UserToImport, opts ...UserImportOption) (*UserImportResult, error)
- func (c TenantClient) OIDCProviderConfig(ctx context.Context, id string) (*OIDCProviderConfig, error)
- func (c TenantClient) OIDCProviderConfigs(ctx context.Context, nextPageToken string) *OIDCProviderConfigIterator
- func (c TenantClient) PasswordResetLink(ctx context.Context, email string) (string, error)
- func (c TenantClient) PasswordResetLinkWithSettings(ctx context.Context, email string, settings *ActionCodeSettings) (string, error)
- func (c TenantClient) RevokeRefreshTokens(ctx context.Context, uid string) error
- func (c TenantClient) SAMLProviderConfig(ctx context.Context, id string) (*SAMLProviderConfig, error)
- func (c TenantClient) SAMLProviderConfigs(ctx context.Context, nextPageToken string) *SAMLProviderConfigIterator
- func (c TenantClient) SetCustomUserClaims(ctx context.Context, uid string, customClaims map[string]interface{}) error
- func (tc *TenantClient) TenantID() string
- func (c TenantClient) UpdateOIDCProviderConfig(ctx context.Context, id string, config *OIDCProviderConfigToUpdate) (*OIDCProviderConfig, error)
- func (c TenantClient) UpdateSAMLProviderConfig(ctx context.Context, id string, config *SAMLProviderConfigToUpdate) (*SAMLProviderConfig, error)
- func (c TenantClient) UpdateUser(ctx context.Context, uid string, user *UserToUpdate) (ur *UserRecord, err error)
- func (c TenantClient) Users(ctx context.Context, nextPageToken string) *UserIterator
- func (c TenantClient) VerifyIDToken(ctx context.Context, idToken string) (*Token, error)
- func (c TenantClient) VerifyIDTokenAndCheckRevoked(ctx context.Context, idToken string) (*Token, error)
- type TenantIterator
- type TenantManager
- func (tm *TenantManager) AuthForTenant(tenantID string) (*TenantClient, error)
- func (tm *TenantManager) CreateTenant(ctx context.Context, tenant *TenantToCreate) (*Tenant, error)
- func (tm *TenantManager) DeleteTenant(ctx context.Context, tenantID string) error
- func (tm *TenantManager) Tenant(ctx context.Context, tenantID string) (*Tenant, error)
- func (tm *TenantManager) Tenants(ctx context.Context, nextPageToken string) *TenantIterator
- func (tm *TenantManager) UpdateTenant(ctx context.Context, tenantID string, tenant *TenantToUpdate) (*Tenant, error)
- type TenantToCreate
- type TenantToUpdate
- type Token
- type UIDIdentifier
- type UserIdentifier
- type UserImportHash
- type UserImportOption
- type UserImportResult
- type UserInfo
- type UserIterator
- type UserMetadata
- type UserProvider
- type UserRecord
- type UserToCreate
- func (u *UserToCreate) Disabled(disabled bool) *UserToCreate
- func (u *UserToCreate) DisplayName(name string) *UserToCreate
- func (u *UserToCreate) Email(email string) *UserToCreate
- func (u *UserToCreate) EmailVerified(verified bool) *UserToCreate
- func (u *UserToCreate) Password(pw string) *UserToCreate
- func (u *UserToCreate) PhoneNumber(phone string) *UserToCreate
- func (u *UserToCreate) PhotoURL(url string) *UserToCreate
- func (u *UserToCreate) UID(uid string) *UserToCreate
- type UserToImport
- func (u *UserToImport) CustomClaims(claims map[string]interface{}) *UserToImport
- func (u *UserToImport) Disabled(disabled bool) *UserToImport
- func (u *UserToImport) DisplayName(displayName string) *UserToImport
- func (u *UserToImport) Email(email string) *UserToImport
- func (u *UserToImport) EmailVerified(emailVerified bool) *UserToImport
- func (u *UserToImport) Metadata(metadata *UserMetadata) *UserToImport
- func (u *UserToImport) PasswordHash(password []byte) *UserToImport
- func (u *UserToImport) PasswordSalt(salt []byte) *UserToImport
- func (u *UserToImport) PhoneNumber(phoneNumber string) *UserToImport
- func (u *UserToImport) PhotoURL(url string) *UserToImport
- func (u *UserToImport) ProviderData(providers []*UserProvider) *UserToImport
- func (u *UserToImport) UID(uid string) *UserToImport
- type UserToUpdate
- func (u *UserToUpdate) CustomClaims(claims map[string]interface{}) *UserToUpdate
- func (u *UserToUpdate) Disabled(disabled bool) *UserToUpdate
- func (u *UserToUpdate) DisplayName(name string) *UserToUpdate
- func (u *UserToUpdate) Email(email string) *UserToUpdate
- func (u *UserToUpdate) EmailVerified(verified bool) *UserToUpdate
- func (u *UserToUpdate) Password(pw string) *UserToUpdate
- func (u *UserToUpdate) PhoneNumber(phone string) *UserToUpdate
- func (u *UserToUpdate) PhotoURL(url string) *UserToUpdate
- func (u *UserToUpdate) ProviderToLink(userProvider *UserProvider) *UserToUpdate
- func (u *UserToUpdate) ProvidersToDelete(providerIds []string) *UserToUpdate
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IsCertificateFetchFailed ¶
IsCertificateFetchFailed checks if the given error was caused by a failure to fetch public key certificates required to verify a JWT.
func IsConfigurationNotFound ¶
IsConfigurationNotFound checks if the given error was due to a non-existing IdP configuration.
func IsEmailAlreadyExists ¶
IsEmailAlreadyExists checks if the given error was due to a duplicate email.
func IsEmailNotFound ¶
IsEmailNotFound checks if the given error was due to the user record corresponding to the email not being found.
func IsIDTokenExpired ¶
IsIDTokenExpired checks if the given error was due to an expired ID token.
When IsIDTokenExpired returns true, IsIDTokenInvalid is guranteed to return true.
func IsIDTokenInvalid ¶
IsIDTokenInvalid checks if the given error was due to an invalid ID token.
An ID token is considered invalid when it is malformed (i.e. contains incorrect data), expired or revoked.
func IsIDTokenRevoked ¶
IsIDTokenRevoked checks if the given error was due to a revoked ID token.
When IsIDTokenRevoked returns true, IsIDTokenInvalid is guaranteed to return true.
func IsInsufficientPermission ¶
IsInsufficientPermission checks if the given error was due to insufficient permissions.
Deprecated. Always returns false.
func IsInvalidDynamicLinkDomain ¶
IsInvalidDynamicLinkDomain checks if the given error was due to an invalid dynamic link domain.
func IsInvalidEmail ¶
IsInvalidEmail checks if the given error was due to an invalid email.
Deprecated. Always returns false.
func IsPhoneNumberAlreadyExists ¶
IsPhoneNumberAlreadyExists checks if the given error was due to a duplicate phone number.
func IsProjectNotFound ¶
IsProjectNotFound checks if the given error was due to a non-existing project.
Deprecated. Always returns false.
func IsSessionCookieExpired ¶
IsSessionCookieExpired checks if the given error was due to an expired session cookie.
When IsSessionCookieExpired returns true, IsSessionCookieInvalid is guranteed to return true.
func IsSessionCookieInvalid ¶
IsSessionCookieInvalid checks if the given error was due to an invalid session cookie.
A session cookie is considered invalid when it is malformed (i.e. contains incorrect data), expired or revoked.
func IsSessionCookieRevoked ¶
IsSessionCookieRevoked checks if the given error was due to a revoked session cookie.
When IsSessionCookieRevoked returns true, IsSessionCookieInvalid is guaranteed to return true.
func IsTenantIDMismatch ¶
IsTenantIDMismatch checks if the given error was due to a mismatched tenant ID in a JWT.
func IsTenantNotFound ¶
IsTenantNotFound checks if the given error was due to a non-existing tenant ID.
func IsUIDAlreadyExists ¶
IsUIDAlreadyExists checks if the given error was due to a duplicate uid.
func IsUnauthorizedContinueURI ¶
IsUnauthorizedContinueURI checks if the given error was due to an unauthorized continue URI domain.
func IsUnknown ¶
IsUnknown checks if the given error was due to a unknown server error.
Deprecated. Always returns false.
func IsUserDisabled ¶
IsUserDisabled checks if the given error was due to a disabled ID token
When IsUserDisabled returns true, IsIDTokenInvalid is guaranteed to return true.
func IsUserNotFound ¶
IsUserNotFound checks if the given error was due to non-existing user.
Types ¶
type ActionCodeSettings ¶
type ActionCodeSettings struct { URL string `json:"continueUrl"` HandleCodeInApp bool `json:"canHandleCodeInApp"` IOSBundleID string `json:"iOSBundleId,omitempty"` AndroidPackageName string `json:"androidPackageName,omitempty"` AndroidMinimumVersion string `json:"androidMinimumVersion,omitempty"` AndroidInstallApp bool `json:"androidInstallApp,omitempty"` DynamicLinkDomain string `json:"dynamicLinkDomain,omitempty"` }
ActionCodeSettings specifies the required continue/state URL with optional Android and iOS settings. Used when invoking the email action link generation APIs.
type Client ¶
type Client struct { TenantManager *TenantManager // contains filtered or unexported fields }
Client is the interface for the Firebase auth service.
Client facilitates generating custom JWT tokens for Firebase clients, and verifying ID tokens issued by Firebase backend services.
func NewClient ¶
NewClient creates a new instance of the Firebase Auth Client.
This function can only be invoked from within the SDK. Client applications should access the Auth service through firebase.App.
func (Client) CreateOIDCProviderConfig ¶
func (c Client) CreateOIDCProviderConfig(ctx context.Context, config *OIDCProviderConfigToCreate) (*OIDCProviderConfig, error)
CreateOIDCProviderConfig creates a new OIDC provider config from the given parameters.
func (Client) CreateSAMLProviderConfig ¶
func (c Client) CreateSAMLProviderConfig(ctx context.Context, config *SAMLProviderConfigToCreate) (*SAMLProviderConfig, error)
CreateSAMLProviderConfig creates a new SAML provider config from the given parameters.
func (Client) CreateUser ¶
func (c Client) CreateUser(ctx context.Context, user *UserToCreate) (*UserRecord, error)
CreateUser creates a new user with the specified properties.
func (Client) CustomToken ¶
CustomToken creates a signed custom authentication token with the specified user ID.
The resulting JWT can be used in a Firebase client SDK to trigger an authentication flow. See https://firebase.google.com/docs/auth/admin/create-custom-tokens#sign_in_using_custom_tokens_on_clients for more details on how to use custom tokens for client authentication.
CustomToken follows the protocol outlined below to sign the generated tokens:
- If the SDK was initialized with service account credentials, uses the private key present in the credentials to sign tokens locally.
- If a service account email was specified during initialization (via firebase.Config struct), calls the IAMCredentials service with that email to sign tokens remotely. See https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob.
- If the code is deployed in the Google App Engine standard environment, uses the App Identity service to sign tokens. See https://cloud.google.com/appengine/docs/standard/go/reference#SignBytes.
- If the code is deployed in a different GCP-managed environment (e.g. Google Compute Engine), uses the local Metadata server to auto discover a service account email. This is used in conjunction with the IAM service to sign tokens remotely.
CustomToken returns an error the SDK fails to discover a viable mechanism for signing tokens.
func (Client) CustomTokenWithClaims ¶
func (c Client) CustomTokenWithClaims(ctx context.Context, uid string, devClaims map[string]interface{}) (string, error)
CustomTokenWithClaims is similar to CustomToken, but in addition to the user ID, it also encodes all the key-value pairs in the provided map as claims in the resulting JWT.
func (Client) DeleteOIDCProviderConfig ¶
DeleteOIDCProviderConfig deletes the OIDCProviderConfig with the given ID.
func (Client) DeleteSAMLProviderConfig ¶
DeleteSAMLProviderConfig deletes the SAMLProviderConfig with the given ID.
func (Client) DeleteUser ¶
DeleteUser deletes the user by the given UID.
func (Client) DeleteUsers ¶
func (c Client) DeleteUsers(ctx context.Context, uids []string) (*DeleteUsersResult, error)
DeleteUsers deletes the users specified by the given identifiers.
Deleting a non-existing user won't generate an error. (i.e. this method is idempotent.) Non-existing users are considered to be successfully deleted, and are therefore counted in the DeleteUsersResult.SuccessCount value.
A maximum of 1000 identifiers may be supplied. If more than 1000 identifiers are supplied, this method returns an error.
This API is currently rate limited at the server to 1 QPS. If you exceed this, you may get a quota exceeded error. Therefore, if you want to delete more than 1000 users, you may need to add a delay to ensure you don't go over this limit.
Returns the total number of successful/failed deletions, as well as the array of errors that correspond to the failed deletions. An error is returned if any of the identifiers are invalid or if more than 1000 identifiers are specified.
func (Client) EmailSignInLink ¶
func (c Client) EmailSignInLink( ctx context.Context, email string, settings *ActionCodeSettings) (string, error)
EmailSignInLink generates the out-of-band email action link for email link sign-in flows, using the action code settings provided.
func (Client) EmailVerificationLink ¶
EmailVerificationLink generates the out-of-band email action link for email verification flows for the specified email address.
func (Client) EmailVerificationLinkWithSettings ¶
func (c Client) EmailVerificationLinkWithSettings( ctx context.Context, email string, settings *ActionCodeSettings) (string, error)
EmailVerificationLinkWithSettings generates the out-of-band email action link for email verification flows for the specified email address, using the action code settings provided.
func (Client) GetUser ¶
func (c Client) GetUser(ctx context.Context, uid string) (*UserRecord, error)
GetUser gets the user data corresponding to the specified user ID.
func (Client) GetUserByEmail ¶
func (c Client) GetUserByEmail(ctx context.Context, email string) (*UserRecord, error)
GetUserByEmail gets the user data corresponding to the specified email.
func (Client) GetUserByPhoneNumber ¶
func (c Client) GetUserByPhoneNumber(ctx context.Context, phone string) (*UserRecord, error)
GetUserByPhoneNumber gets the user data corresponding to the specified user phone number.
func (Client) GetUserByProviderID ¶
func (c Client) GetUserByProviderID(ctx context.Context, providerID string, providerUID string) (*UserRecord, error)
GetUserByProviderID is an alias for GetUserByProviderUID.
Deprecated. Use GetUserByProviderUID instead.
func (Client) GetUserByProviderUID ¶
func (c Client) GetUserByProviderUID(ctx context.Context, providerID string, providerUID string) (*UserRecord, error)
GetUserByProviderUID gets the user data for the user corresponding to a given provider ID.
See https://firebase.google.com/docs/auth/admin/manage-users#retrieve_user_data for code samples and detailed documentation.
`providerID` indicates the provider, such as 'google.com' for the Google provider. `providerUID` is the user identifier for the given provider.
func (Client) GetUsers ¶
func (c Client) GetUsers( ctx context.Context, identifiers []UserIdentifier, ) (*GetUsersResult, error)
GetUsers returns the user data corresponding to the specified identifiers.
There are no ordering guarantees; in particular, the nth entry in the users result list is not guaranteed to correspond to the nth entry in the input parameters list.
A maximum of 100 identifiers may be supplied. If more than 100 identifiers are supplied, this method returns an error.
Returns the corresponding user records. An error is returned instead if any of the identifiers are invalid or if more than 100 identifiers are specified.
func (Client) ImportUsers ¶
func (c Client) ImportUsers( ctx context.Context, users []*UserToImport, opts ...UserImportOption) (*UserImportResult, error)
ImportUsers imports an array of users to Firebase Auth.
No more than 1000 users can be imported in a single call. If at least one user specifies a password, a UserImportHash must be specified as an option.
func (Client) OIDCProviderConfig ¶
func (c Client) OIDCProviderConfig(ctx context.Context, id string) (*OIDCProviderConfig, error)
OIDCProviderConfig returns the OIDCProviderConfig with the given ID.
func (Client) OIDCProviderConfigs ¶
func (c Client) OIDCProviderConfigs(ctx context.Context, nextPageToken string) *OIDCProviderConfigIterator
OIDCProviderConfigs returns an iterator over OIDC provider configurations.
If nextPageToken is empty, the iterator will start at the beginning. Otherwise, iterator starts after the token.
func (Client) PasswordResetLink ¶
PasswordResetLink generates the out-of-band email action link for password reset flows for the specified email address.
func (Client) PasswordResetLinkWithSettings ¶
func (c Client) PasswordResetLinkWithSettings( ctx context.Context, email string, settings *ActionCodeSettings) (string, error)
PasswordResetLinkWithSettings generates the out-of-band email action link for password reset flows for the specified email address, using the action code settings provided.
func (Client) RevokeRefreshTokens ¶
RevokeRefreshTokens revokes all refresh tokens issued to a user.
RevokeRefreshTokens updates the user's TokensValidAfterMillis to the current UTC second. It is important that the server on which this is called has its clock set correctly and synchronized.
While this revokes all sessions for a specified user and disables any new ID tokens for existing sessions from getting minted, existing ID tokens may remain active until their natural expiration (one hour). To verify that ID tokens are revoked, use `verifyIdTokenAndCheckRevoked(ctx, idToken)`.
func (Client) SAMLProviderConfig ¶
func (c Client) SAMLProviderConfig(ctx context.Context, id string) (*SAMLProviderConfig, error)
SAMLProviderConfig returns the SAMLProviderConfig with the given ID.
func (Client) SAMLProviderConfigs ¶
func (c Client) SAMLProviderConfigs(ctx context.Context, nextPageToken string) *SAMLProviderConfigIterator
SAMLProviderConfigs returns an iterator over SAML provider configurations.
If nextPageToken is empty, the iterator will start at the beginning. Otherwise, iterator starts after the token.
func (*Client) SessionCookie ¶
func (c *Client) SessionCookie( ctx context.Context, idToken string, expiresIn time.Duration, ) (string, error)
SessionCookie creates a new Firebase session cookie from the given ID token and expiry duration. The returned JWT can be set as a server-side session cookie with a custom cookie policy. Expiry duration must be at least 5 minutes but may not exceed 14 days.
func (Client) SetCustomUserClaims ¶
func (c Client) SetCustomUserClaims(ctx context.Context, uid string, customClaims map[string]interface{}) error
SetCustomUserClaims sets additional claims on an existing user account.
Custom claims set via this function can be used to define user roles and privilege levels. These claims propagate to all the devices where the user is already signed in (after token expiration or when token refresh is forced), and next time the user signs in. The claims can be accessed via the user's ID token JWT. If a reserved OIDC claim is specified (sub, iat, iss, etc), an error is thrown. Claims payload must also not be larger then 1000 characters when serialized into a JSON string.
func (Client) UpdateOIDCProviderConfig ¶
func (c Client) UpdateOIDCProviderConfig(ctx context.Context, id string, config *OIDCProviderConfigToUpdate) (*OIDCProviderConfig, error)
UpdateOIDCProviderConfig updates an existing OIDC provider config with the given parameters.
func (Client) UpdateSAMLProviderConfig ¶
func (c Client) UpdateSAMLProviderConfig(ctx context.Context, id string, config *SAMLProviderConfigToUpdate) (*SAMLProviderConfig, error)
UpdateSAMLProviderConfig updates an existing SAML provider config with the given parameters.
func (Client) UpdateUser ¶
func (c Client) UpdateUser( ctx context.Context, uid string, user *UserToUpdate) (ur *UserRecord, err error)
UpdateUser updates an existing user account with the specified properties.
func (Client) Users ¶
func (c Client) Users(ctx context.Context, nextPageToken string) *UserIterator
Users returns an iterator over Users.
If nextPageToken is empty, the iterator will start at the beginning. If the nextPageToken is not empty, the iterator starts after the token.
func (Client) VerifyIDToken ¶
VerifyIDToken verifies the signature and payload of the provided ID token.
VerifyIDToken accepts a signed JWT token string, and verifies that it is current, issued for the correct Firebase project, and signed by the Google Firebase services in the cloud. It returns a Token containing the decoded claims in the input JWT. See https://firebase.google.com/docs/auth/admin/verify-id-tokens#retrieve_id_tokens_on_clients for more details on how to obtain an ID token in a client app.
In non-emulator mode, this function does not make any RPC calls most of the time. The only time it makes an RPC call is when Google public keys need to be refreshed. These keys get cached up to 24 hours, and therefore the RPC overhead gets amortized over many invocations of this function.
This does not check whether or not the token has been revoked or disabled. Use `VerifyIDTokenAndCheckRevoked()` when a revocation check is needed.
func (Client) VerifyIDTokenAndCheckRevoked ¶
VerifyIDTokenAndCheckRevoked verifies the provided ID token, and additionally checks that the token has not been revoked or disabled.
Unlike `VerifyIDToken()`, this function must make an RPC call to perform the revocation check. Developers are advised to take this additional overhead into consideration when including this function in an authorization flow that gets executed often.
func (*Client) VerifySessionCookie ¶
VerifySessionCookie verifies the signature and payload of the provided Firebase session cookie.
VerifySessionCookie accepts a signed JWT token string, and verifies that it is current, issued for the correct Firebase project, and signed by the Google Firebase services in the cloud. It returns a Token containing the decoded claims in the input JWT. See https://firebase.google.com/docs/auth/admin/manage-cookies for more details on how to obtain a session cookie.
In non-emulator mode, this function does not make any RPC calls most of the time. The only time it makes an RPC call is when Google public keys need to be refreshed. These keys get cached up to 24 hours, and therefore the RPC overhead gets amortized over many invocations of this function.
This does not check whether or not the cookie has been revoked. Use `VerifySessionCookieAndCheckRevoked()` when a revocation check is needed.
func (*Client) VerifySessionCookieAndCheckRevoked ¶
func (c *Client) VerifySessionCookieAndCheckRevoked(ctx context.Context, sessionCookie string) (*Token, error)
VerifySessionCookieAndCheckRevoked verifies the provided session cookie, and additionally checks that the cookie has not been revoked and the user has not been disabled.
Unlike `VerifySessionCookie()`, this function must make an RPC call to perform the revocation check. Developers are advised to take this additional overhead into consideration when including this function in an authorization flow that gets executed often.
type DeleteUsersErrorInfo ¶
type DeleteUsersErrorInfo struct { Index int `json:"index,omitEmpty"` Reason string `json:"message,omitEmpty"` }
DeleteUsersErrorInfo represents an error encountered while deleting a user account.
The Index field corresponds to the index of the failed user in the uids array that was passed to DeleteUsers().
type DeleteUsersResult ¶
type DeleteUsersResult struct { // The number of users that were deleted successfully (possibly zero). Users // that did not exist prior to calling DeleteUsers() are considered to be // successfully deleted. SuccessCount int // The number of users that failed to be deleted (possibly zero). FailureCount int // A list of DeleteUsersErrorInfo instances describing the errors that were // encountered during the deletion. Length of this list is equal to the value // of FailureCount. Errors []*DeleteUsersErrorInfo }
A DeleteUsersResult represents the result of the DeleteUsers() call.
type EmailIdentifier ¶
type EmailIdentifier struct {
Email string
}
An EmailIdentifier is used for looking up an account by email.
See GetUsers function.
type ErrorInfo ¶
ErrorInfo represents an error encountered while importing a single user account.
The Index field corresponds to the index of the failed user in the users array that was passed to ImportUsers().
type ExportedUserRecord ¶
type ExportedUserRecord struct { *UserRecord PasswordHash string PasswordSalt string }
ExportedUserRecord is the returned user value used when listing all the users.
type FirebaseInfo ¶
type FirebaseInfo struct { SignInProvider string `json:"sign_in_provider"` Tenant string `json:"tenant"` Identities map[string]interface{} `json:"identities"` }
FirebaseInfo represents the information about the sign-in event, including which auth provider was used and provider-specific identity details.
This data is provided by the Firebase Auth service and is a reserved claim in the ID token.
type GetUsersResult ¶
type GetUsersResult struct { // Set of UserRecords corresponding to the set of users that were requested. // Only users that were found are listed here. The result set is unordered. Users []*UserRecord // Set of UserIdentifiers that were requested, but not found. NotFound []UserIdentifier }
A GetUsersResult represents the result of the GetUsers() API.
type MultiFactorInfo ¶
type MultiFactorInfo struct { UID string DisplayName string EnrollmentTimestamp int64 FactorID string PhoneNumber string }
MultiFactorInfo describes a user enrolled second phone factor.
type MultiFactorSettings ¶
type MultiFactorSettings struct {
EnrolledFactors []*MultiFactorInfo
}
MultiFactorSettings describes the multi-factor related user settings.
type OIDCProviderConfig ¶
type OIDCProviderConfig struct { ID string DisplayName string Enabled bool ClientID string Issuer string ClientSecret string CodeResponseType bool IDTokenResponseType bool }
OIDCProviderConfig is the OIDC auth provider configuration. See https://openid.net/specs/openid-connect-core-1_0-final.html.
type OIDCProviderConfigIterator ¶
type OIDCProviderConfigIterator struct {
// contains filtered or unexported fields
}
OIDCProviderConfigIterator is an iterator over OIDC provider configurations.
func (*OIDCProviderConfigIterator) Next ¶
func (it *OIDCProviderConfigIterator) Next() (*OIDCProviderConfig, error)
Next returns the next OIDCProviderConfig. The error value of iterator.Done is returned if there are no more results. Once Next returns iterator.Done, all subsequent calls will return iterator.Done.
func (*OIDCProviderConfigIterator) PageInfo ¶
func (it *OIDCProviderConfigIterator) PageInfo() *iterator.PageInfo
PageInfo supports pagination.
type OIDCProviderConfigToCreate ¶
type OIDCProviderConfigToCreate struct {
// contains filtered or unexported fields
}
OIDCProviderConfigToCreate represents the options used to create a new OIDCProviderConfig.
func (*OIDCProviderConfigToCreate) ClientID ¶
func (config *OIDCProviderConfigToCreate) ClientID(clientID string) *OIDCProviderConfigToCreate
ClientID sets the client ID of the new config.
func (*OIDCProviderConfigToCreate) ClientSecret ¶
func (config *OIDCProviderConfigToCreate) ClientSecret(secret string) *OIDCProviderConfigToCreate
ClientSecret sets the client secret for the new provider. This is required for the code flow.
func (*OIDCProviderConfigToCreate) CodeResponseType ¶
func (config *OIDCProviderConfigToCreate) CodeResponseType(enabled bool) *OIDCProviderConfigToCreate
CodeResponseType sets whether to enable the code response flow for the new provider. By default, this is not enabled if no response type is specified. A client secret must be set for this response type. Having both the code and ID token response flows is currently not supported.
func (*OIDCProviderConfigToCreate) DisplayName ¶
func (config *OIDCProviderConfigToCreate) DisplayName(name string) *OIDCProviderConfigToCreate
DisplayName sets the DisplayName field of the new config.
func (*OIDCProviderConfigToCreate) Enabled ¶
func (config *OIDCProviderConfigToCreate) Enabled(enabled bool) *OIDCProviderConfigToCreate
Enabled enables or disables the new config.
func (*OIDCProviderConfigToCreate) ID ¶
func (config *OIDCProviderConfigToCreate) ID(id string) *OIDCProviderConfigToCreate
ID sets the provider ID of the new config.
func (*OIDCProviderConfigToCreate) IDTokenResponseType ¶
func (config *OIDCProviderConfigToCreate) IDTokenResponseType(enabled bool) *OIDCProviderConfigToCreate
IDTokenResponseType sets whether to enable the ID token response flow for the new provider. By default, this is enabled if no response type is specified. Having both the code and ID token response flows is currently not supported.
func (*OIDCProviderConfigToCreate) Issuer ¶
func (config *OIDCProviderConfigToCreate) Issuer(issuer string) *OIDCProviderConfigToCreate
Issuer sets the issuer of the new config.
type OIDCProviderConfigToUpdate ¶
type OIDCProviderConfigToUpdate struct {
// contains filtered or unexported fields
}
OIDCProviderConfigToUpdate represents the options used to update an existing OIDCProviderConfig.
func (*OIDCProviderConfigToUpdate) ClientID ¶
func (config *OIDCProviderConfigToUpdate) ClientID(clientID string) *OIDCProviderConfigToUpdate
ClientID updates the client ID of the config.
func (*OIDCProviderConfigToUpdate) ClientSecret ¶
func (config *OIDCProviderConfigToUpdate) ClientSecret(secret string) *OIDCProviderConfigToUpdate
ClientSecret sets the client secret for the provider. This is required for the code flow.
func (*OIDCProviderConfigToUpdate) CodeResponseType ¶
func (config *OIDCProviderConfigToUpdate) CodeResponseType(enabled bool) *OIDCProviderConfigToUpdate
CodeResponseType sets whether to enable the code response flow for the new provider. By default, this is not enabled if no response type is specified. A client secret must be set for this response type. Having both the code and ID token response flows is currently not supported.
func (*OIDCProviderConfigToUpdate) DisplayName ¶
func (config *OIDCProviderConfigToUpdate) DisplayName(name string) *OIDCProviderConfigToUpdate
DisplayName updates the DisplayName field of the config.
func (*OIDCProviderConfigToUpdate) Enabled ¶
func (config *OIDCProviderConfigToUpdate) Enabled(enabled bool) *OIDCProviderConfigToUpdate
Enabled enables or disables the config.
func (*OIDCProviderConfigToUpdate) IDTokenResponseType ¶
func (config *OIDCProviderConfigToUpdate) IDTokenResponseType(enabled bool) *OIDCProviderConfigToUpdate
IDTokenResponseType sets whether to enable the ID token response flow for the provider. By default, this is enabled if no response type is specified. Having both the code and ID token response flows is currently not supported.
func (*OIDCProviderConfigToUpdate) Issuer ¶
func (config *OIDCProviderConfigToUpdate) Issuer(issuer string) *OIDCProviderConfigToUpdate
Issuer updates the issuer of the config.
type PhoneIdentifier ¶
type PhoneIdentifier struct {
PhoneNumber string
}
A PhoneIdentifier is used for looking up an account by phone number.
See GetUsers function.
type ProviderIdentifier ¶
A ProviderIdentifier is used for looking up an account by federated provider.
See GetUsers function.
type SAMLProviderConfig ¶
type SAMLProviderConfig struct { ID string DisplayName string Enabled bool IDPEntityID string SSOURL string RequestSigningEnabled bool X509Certificates []string RPEntityID string CallbackURL string }
SAMLProviderConfig is the SAML auth provider configuration. See http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html.
type SAMLProviderConfigIterator ¶
type SAMLProviderConfigIterator struct {
// contains filtered or unexported fields
}
SAMLProviderConfigIterator is an iterator over SAML provider configurations.
func (*SAMLProviderConfigIterator) Next ¶
func (it *SAMLProviderConfigIterator) Next() (*SAMLProviderConfig, error)
Next returns the next SAMLProviderConfig. The error value of iterator.Done is returned if there are no more results. Once Next returns iterator.Done, all subsequent calls will return iterator.Done.
func (*SAMLProviderConfigIterator) PageInfo ¶
func (it *SAMLProviderConfigIterator) PageInfo() *iterator.PageInfo
PageInfo supports pagination.
type SAMLProviderConfigToCreate ¶
type SAMLProviderConfigToCreate struct {
// contains filtered or unexported fields
}
SAMLProviderConfigToCreate represents the options used to create a new SAMLProviderConfig.
func (*SAMLProviderConfigToCreate) CallbackURL ¶
func (config *SAMLProviderConfigToCreate) CallbackURL(url string) *SAMLProviderConfigToCreate
CallbackURL sets the CallbackURL field of the new config.
func (*SAMLProviderConfigToCreate) DisplayName ¶
func (config *SAMLProviderConfigToCreate) DisplayName(name string) *SAMLProviderConfigToCreate
DisplayName sets the DisplayName field of the new config.
func (*SAMLProviderConfigToCreate) Enabled ¶
func (config *SAMLProviderConfigToCreate) Enabled(enabled bool) *SAMLProviderConfigToCreate
Enabled enables or disables the new config.
func (*SAMLProviderConfigToCreate) ID ¶
func (config *SAMLProviderConfigToCreate) ID(id string) *SAMLProviderConfigToCreate
ID sets the provider ID of the new config.
func (*SAMLProviderConfigToCreate) IDPEntityID ¶
func (config *SAMLProviderConfigToCreate) IDPEntityID(entityID string) *SAMLProviderConfigToCreate
IDPEntityID sets the IDPEntityID field of the new config.
func (*SAMLProviderConfigToCreate) RPEntityID ¶
func (config *SAMLProviderConfigToCreate) RPEntityID(entityID string) *SAMLProviderConfigToCreate
RPEntityID sets the RPEntityID field of the new config.
func (*SAMLProviderConfigToCreate) RequestSigningEnabled ¶
func (config *SAMLProviderConfigToCreate) RequestSigningEnabled(enabled bool) *SAMLProviderConfigToCreate
RequestSigningEnabled enables or disables the request signing support.
func (*SAMLProviderConfigToCreate) SSOURL ¶
func (config *SAMLProviderConfigToCreate) SSOURL(url string) *SAMLProviderConfigToCreate
SSOURL sets the SSOURL field of the new config.
func (*SAMLProviderConfigToCreate) X509Certificates ¶
func (config *SAMLProviderConfigToCreate) X509Certificates(certs []string) *SAMLProviderConfigToCreate
X509Certificates sets the certificates for the new config.
type SAMLProviderConfigToUpdate ¶
type SAMLProviderConfigToUpdate struct {
// contains filtered or unexported fields
}
SAMLProviderConfigToUpdate represents the options used to update an existing SAMLProviderConfig.
func (*SAMLProviderConfigToUpdate) CallbackURL ¶
func (config *SAMLProviderConfigToUpdate) CallbackURL(url string) *SAMLProviderConfigToUpdate
CallbackURL updates the CallbackURL field of the config.
func (*SAMLProviderConfigToUpdate) DisplayName ¶
func (config *SAMLProviderConfigToUpdate) DisplayName(name string) *SAMLProviderConfigToUpdate
DisplayName updates the DisplayName field of the config.
func (*SAMLProviderConfigToUpdate) Enabled ¶
func (config *SAMLProviderConfigToUpdate) Enabled(enabled bool) *SAMLProviderConfigToUpdate
Enabled enables or disables the config.
func (*SAMLProviderConfigToUpdate) IDPEntityID ¶
func (config *SAMLProviderConfigToUpdate) IDPEntityID(entityID string) *SAMLProviderConfigToUpdate
IDPEntityID the IDPEntityID field of the config.
func (*SAMLProviderConfigToUpdate) RPEntityID ¶
func (config *SAMLProviderConfigToUpdate) RPEntityID(entityID string) *SAMLProviderConfigToUpdate
RPEntityID updates the RPEntityID field of the config.
func (*SAMLProviderConfigToUpdate) RequestSigningEnabled ¶
func (config *SAMLProviderConfigToUpdate) RequestSigningEnabled(enabled bool) *SAMLProviderConfigToUpdate
RequestSigningEnabled enables or disables the request signing support.
func (*SAMLProviderConfigToUpdate) SSOURL ¶
func (config *SAMLProviderConfigToUpdate) SSOURL(url string) *SAMLProviderConfigToUpdate
SSOURL updates the SSOURL field of the config.
func (*SAMLProviderConfigToUpdate) X509Certificates ¶
func (config *SAMLProviderConfigToUpdate) X509Certificates(certs []string) *SAMLProviderConfigToUpdate
X509Certificates updates the certificates of the config.
type Tenant ¶
type Tenant struct { ID string `json:"name"` DisplayName string `json:"displayName"` AllowPasswordSignUp bool `json:"allowPasswordSignup"` EnableEmailLinkSignIn bool `json:"enableEmailLinkSignin"` EnableAnonymousUsers bool `json:"enableAnonymousUser"` }
Tenant represents a tenant in a multi-tenant application.
Multi-tenancy support requires Google Cloud's Identity Platform (GCIP). To learn more about GCIP, including pricing and features, see https://cloud.google.com/identity-platform.
Before multi-tenancy can be used in a Google Cloud Identity Platform project, tenants must be enabled in that project via the Cloud Console UI.
A tenant configuration provides information such as the display name, tenant identifier and email authentication configuration. For OIDC/SAML provider configuration management, TenantClient instances should be used instead of a Tenant to retrieve the list of configured IdPs on a tenant. When configuring these providers, note that tenants will inherit whitelisted domains and authenticated redirect URIs of their parent project.
All other settings of a tenant will also be inherited. These will need to be managed from the Cloud Console UI.
type TenantClient ¶
type TenantClient struct {
// contains filtered or unexported fields
}
TenantClient is used for managing users, configuring SAML/OIDC providers, and generating email links for specific tenants.
Before multi-tenancy can be used in a Google Cloud Identity Platform project, tenants must be enabled in that project via the Cloud Console UI.
Each tenant contains its own identity providers, settings and users. TenantClient enables managing users and SAML/OIDC configurations of specific tenants. It also supports verifying ID tokens issued to users who are signed into specific tenants.
TenantClient instances for a specific tenantID can be instantiated by calling [TenantManager.AuthForTenant(tenantID)].
func (TenantClient) CreateOIDCProviderConfig ¶
func (c TenantClient) CreateOIDCProviderConfig(ctx context.Context, config *OIDCProviderConfigToCreate) (*OIDCProviderConfig, error)
CreateOIDCProviderConfig creates a new OIDC provider config from the given parameters.
func (TenantClient) CreateSAMLProviderConfig ¶
func (c TenantClient) CreateSAMLProviderConfig(ctx context.Context, config *SAMLProviderConfigToCreate) (*SAMLProviderConfig, error)
CreateSAMLProviderConfig creates a new SAML provider config from the given parameters.
func (TenantClient) CreateUser ¶
func (c TenantClient) CreateUser(ctx context.Context, user *UserToCreate) (*UserRecord, error)
CreateUser creates a new user with the specified properties.
func (TenantClient) CustomToken ¶
CustomToken creates a signed custom authentication token with the specified user ID.
The resulting JWT can be used in a Firebase client SDK to trigger an authentication flow. See https://firebase.google.com/docs/auth/admin/create-custom-tokens#sign_in_using_custom_tokens_on_clients for more details on how to use custom tokens for client authentication.
CustomToken follows the protocol outlined below to sign the generated tokens:
- If the SDK was initialized with service account credentials, uses the private key present in the credentials to sign tokens locally.
- If a service account email was specified during initialization (via firebase.Config struct), calls the IAMCredentials service with that email to sign tokens remotely. See https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob.
- If the code is deployed in the Google App Engine standard environment, uses the App Identity service to sign tokens. See https://cloud.google.com/appengine/docs/standard/go/reference#SignBytes.
- If the code is deployed in a different GCP-managed environment (e.g. Google Compute Engine), uses the local Metadata server to auto discover a service account email. This is used in conjunction with the IAM service to sign tokens remotely.
CustomToken returns an error the SDK fails to discover a viable mechanism for signing tokens.
func (TenantClient) CustomTokenWithClaims ¶
func (c TenantClient) CustomTokenWithClaims(ctx context.Context, uid string, devClaims map[string]interface{}) (string, error)
CustomTokenWithClaims is similar to CustomToken, but in addition to the user ID, it also encodes all the key-value pairs in the provided map as claims in the resulting JWT.
func (TenantClient) DeleteOIDCProviderConfig ¶
DeleteOIDCProviderConfig deletes the OIDCProviderConfig with the given ID.
func (TenantClient) DeleteSAMLProviderConfig ¶
DeleteSAMLProviderConfig deletes the SAMLProviderConfig with the given ID.
func (TenantClient) DeleteUser ¶
DeleteUser deletes the user by the given UID.
func (TenantClient) DeleteUsers ¶
func (c TenantClient) DeleteUsers(ctx context.Context, uids []string) (*DeleteUsersResult, error)
DeleteUsers deletes the users specified by the given identifiers.
Deleting a non-existing user won't generate an error. (i.e. this method is idempotent.) Non-existing users are considered to be successfully deleted, and are therefore counted in the DeleteUsersResult.SuccessCount value.
A maximum of 1000 identifiers may be supplied. If more than 1000 identifiers are supplied, this method returns an error.
This API is currently rate limited at the server to 1 QPS. If you exceed this, you may get a quota exceeded error. Therefore, if you want to delete more than 1000 users, you may need to add a delay to ensure you don't go over this limit.
Returns the total number of successful/failed deletions, as well as the array of errors that correspond to the failed deletions. An error is returned if any of the identifiers are invalid or if more than 1000 identifiers are specified.
func (TenantClient) EmailSignInLink ¶
func (c TenantClient) EmailSignInLink( ctx context.Context, email string, settings *ActionCodeSettings) (string, error)
EmailSignInLink generates the out-of-band email action link for email link sign-in flows, using the action code settings provided.
func (TenantClient) EmailVerificationLink ¶
EmailVerificationLink generates the out-of-band email action link for email verification flows for the specified email address.
func (TenantClient) EmailVerificationLinkWithSettings ¶
func (c TenantClient) EmailVerificationLinkWithSettings( ctx context.Context, email string, settings *ActionCodeSettings) (string, error)
EmailVerificationLinkWithSettings generates the out-of-band email action link for email verification flows for the specified email address, using the action code settings provided.
func (TenantClient) GetUser ¶
func (c TenantClient) GetUser(ctx context.Context, uid string) (*UserRecord, error)
GetUser gets the user data corresponding to the specified user ID.
func (TenantClient) GetUserByEmail ¶
func (c TenantClient) GetUserByEmail(ctx context.Context, email string) (*UserRecord, error)
GetUserByEmail gets the user data corresponding to the specified email.
func (TenantClient) GetUserByPhoneNumber ¶
func (c TenantClient) GetUserByPhoneNumber(ctx context.Context, phone string) (*UserRecord, error)
GetUserByPhoneNumber gets the user data corresponding to the specified user phone number.
func (TenantClient) GetUserByProviderID ¶
func (c TenantClient) GetUserByProviderID(ctx context.Context, providerID string, providerUID string) (*UserRecord, error)
GetUserByProviderID is an alias for GetUserByProviderUID.
Deprecated. Use GetUserByProviderUID instead.
func (TenantClient) GetUserByProviderUID ¶
func (c TenantClient) GetUserByProviderUID(ctx context.Context, providerID string, providerUID string) (*UserRecord, error)
GetUserByProviderUID gets the user data for the user corresponding to a given provider ID.
See https://firebase.google.com/docs/auth/admin/manage-users#retrieve_user_data for code samples and detailed documentation.
`providerID` indicates the provider, such as 'google.com' for the Google provider. `providerUID` is the user identifier for the given provider.
func (TenantClient) GetUsers ¶
func (c TenantClient) GetUsers( ctx context.Context, identifiers []UserIdentifier, ) (*GetUsersResult, error)
GetUsers returns the user data corresponding to the specified identifiers.
There are no ordering guarantees; in particular, the nth entry in the users result list is not guaranteed to correspond to the nth entry in the input parameters list.
A maximum of 100 identifiers may be supplied. If more than 100 identifiers are supplied, this method returns an error.
Returns the corresponding user records. An error is returned instead if any of the identifiers are invalid or if more than 100 identifiers are specified.
func (TenantClient) ImportUsers ¶
func (c TenantClient) ImportUsers( ctx context.Context, users []*UserToImport, opts ...UserImportOption) (*UserImportResult, error)
ImportUsers imports an array of users to Firebase Auth.
No more than 1000 users can be imported in a single call. If at least one user specifies a password, a UserImportHash must be specified as an option.
func (TenantClient) OIDCProviderConfig ¶
func (c TenantClient) OIDCProviderConfig(ctx context.Context, id string) (*OIDCProviderConfig, error)
OIDCProviderConfig returns the OIDCProviderConfig with the given ID.
func (TenantClient) OIDCProviderConfigs ¶
func (c TenantClient) OIDCProviderConfigs(ctx context.Context, nextPageToken string) *OIDCProviderConfigIterator
OIDCProviderConfigs returns an iterator over OIDC provider configurations.
If nextPageToken is empty, the iterator will start at the beginning. Otherwise, iterator starts after the token.
func (TenantClient) PasswordResetLink ¶
PasswordResetLink generates the out-of-band email action link for password reset flows for the specified email address.
func (TenantClient) PasswordResetLinkWithSettings ¶
func (c TenantClient) PasswordResetLinkWithSettings( ctx context.Context, email string, settings *ActionCodeSettings) (string, error)
PasswordResetLinkWithSettings generates the out-of-band email action link for password reset flows for the specified email address, using the action code settings provided.
func (TenantClient) RevokeRefreshTokens ¶
RevokeRefreshTokens revokes all refresh tokens issued to a user.
RevokeRefreshTokens updates the user's TokensValidAfterMillis to the current UTC second. It is important that the server on which this is called has its clock set correctly and synchronized.
While this revokes all sessions for a specified user and disables any new ID tokens for existing sessions from getting minted, existing ID tokens may remain active until their natural expiration (one hour). To verify that ID tokens are revoked, use `verifyIdTokenAndCheckRevoked(ctx, idToken)`.
func (TenantClient) SAMLProviderConfig ¶
func (c TenantClient) SAMLProviderConfig(ctx context.Context, id string) (*SAMLProviderConfig, error)
SAMLProviderConfig returns the SAMLProviderConfig with the given ID.
func (TenantClient) SAMLProviderConfigs ¶
func (c TenantClient) SAMLProviderConfigs(ctx context.Context, nextPageToken string) *SAMLProviderConfigIterator
SAMLProviderConfigs returns an iterator over SAML provider configurations.
If nextPageToken is empty, the iterator will start at the beginning. Otherwise, iterator starts after the token.
func (TenantClient) SetCustomUserClaims ¶
func (c TenantClient) SetCustomUserClaims(ctx context.Context, uid string, customClaims map[string]interface{}) error
SetCustomUserClaims sets additional claims on an existing user account.
Custom claims set via this function can be used to define user roles and privilege levels. These claims propagate to all the devices where the user is already signed in (after token expiration or when token refresh is forced), and next time the user signs in. The claims can be accessed via the user's ID token JWT. If a reserved OIDC claim is specified (sub, iat, iss, etc), an error is thrown. Claims payload must also not be larger then 1000 characters when serialized into a JSON string.
func (*TenantClient) TenantID ¶
func (tc *TenantClient) TenantID() string
TenantID returns the ID of the tenant to which this TenantClient instance belongs.
func (TenantClient) UpdateOIDCProviderConfig ¶
func (c TenantClient) UpdateOIDCProviderConfig(ctx context.Context, id string, config *OIDCProviderConfigToUpdate) (*OIDCProviderConfig, error)
UpdateOIDCProviderConfig updates an existing OIDC provider config with the given parameters.
func (TenantClient) UpdateSAMLProviderConfig ¶
func (c TenantClient) UpdateSAMLProviderConfig(ctx context.Context, id string, config *SAMLProviderConfigToUpdate) (*SAMLProviderConfig, error)
UpdateSAMLProviderConfig updates an existing SAML provider config with the given parameters.
func (TenantClient) UpdateUser ¶
func (c TenantClient) UpdateUser( ctx context.Context, uid string, user *UserToUpdate) (ur *UserRecord, err error)
UpdateUser updates an existing user account with the specified properties.
func (TenantClient) Users ¶
func (c TenantClient) Users(ctx context.Context, nextPageToken string) *UserIterator
Users returns an iterator over Users.
If nextPageToken is empty, the iterator will start at the beginning. If the nextPageToken is not empty, the iterator starts after the token.
func (TenantClient) VerifyIDToken ¶
VerifyIDToken verifies the signature and payload of the provided ID token.
VerifyIDToken accepts a signed JWT token string, and verifies that it is current, issued for the correct Firebase project, and signed by the Google Firebase services in the cloud. It returns a Token containing the decoded claims in the input JWT. See https://firebase.google.com/docs/auth/admin/verify-id-tokens#retrieve_id_tokens_on_clients for more details on how to obtain an ID token in a client app.
In non-emulator mode, this function does not make any RPC calls most of the time. The only time it makes an RPC call is when Google public keys need to be refreshed. These keys get cached up to 24 hours, and therefore the RPC overhead gets amortized over many invocations of this function.
This does not check whether or not the token has been revoked or disabled. Use `VerifyIDTokenAndCheckRevoked()` when a revocation check is needed.
func (TenantClient) VerifyIDTokenAndCheckRevoked ¶
func (c TenantClient) VerifyIDTokenAndCheckRevoked(ctx context.Context, idToken string) (*Token, error)
VerifyIDTokenAndCheckRevoked verifies the provided ID token, and additionally checks that the token has not been revoked or disabled.
Unlike `VerifyIDToken()`, this function must make an RPC call to perform the revocation check. Developers are advised to take this additional overhead into consideration when including this function in an authorization flow that gets executed often.
type TenantIterator ¶
type TenantIterator struct {
// contains filtered or unexported fields
}
TenantIterator is an iterator over tenants.
func (*TenantIterator) Next ¶
func (it *TenantIterator) Next() (*Tenant, error)
Next returns the next Tenant. The error value of iterator.Done is returned if there are no more results. Once Next returns iterator.Done, all subsequent calls will return iterator.Done.
func (*TenantIterator) PageInfo ¶
func (it *TenantIterator) PageInfo() *iterator.PageInfo
PageInfo supports pagination.
type TenantManager ¶
type TenantManager struct {
// contains filtered or unexported fields
}
TenantManager is the interface used to manage tenants in a multi-tenant application.
This supports creating, updating, listing, deleting the tenants of a Firebase project. It also supports creating new TenantClient instances scoped to specific tenant IDs.
func (*TenantManager) AuthForTenant ¶
func (tm *TenantManager) AuthForTenant(tenantID string) (*TenantClient, error)
AuthForTenant creates a new TenantClient scoped to a given tenantID.
func (*TenantManager) CreateTenant ¶
func (tm *TenantManager) CreateTenant(ctx context.Context, tenant *TenantToCreate) (*Tenant, error)
CreateTenant creates a new tenant with the given options.
func (*TenantManager) DeleteTenant ¶
func (tm *TenantManager) DeleteTenant(ctx context.Context, tenantID string) error
DeleteTenant deletes the tenant with the given ID.
func (*TenantManager) Tenants ¶
func (tm *TenantManager) Tenants(ctx context.Context, nextPageToken string) *TenantIterator
Tenants returns an iterator over tenants in the project.
If nextPageToken is empty, the iterator will start at the beginning. Otherwise, iterator starts after the token.
func (*TenantManager) UpdateTenant ¶
func (tm *TenantManager) UpdateTenant(ctx context.Context, tenantID string, tenant *TenantToUpdate) (*Tenant, error)
UpdateTenant updates an existing tenant with the given options.
type TenantToCreate ¶
type TenantToCreate struct {
// contains filtered or unexported fields
}
TenantToCreate represents the options used to create a new tenant.
func (*TenantToCreate) AllowPasswordSignUp ¶
func (t *TenantToCreate) AllowPasswordSignUp(allow bool) *TenantToCreate
AllowPasswordSignUp enables or disables email sign-in provider.
func (*TenantToCreate) DisplayName ¶
func (t *TenantToCreate) DisplayName(name string) *TenantToCreate
DisplayName sets the display name of the new tenant.
func (*TenantToCreate) EnableAnonymousUsers ¶
func (t *TenantToCreate) EnableAnonymousUsers(enable bool) *TenantToCreate
EnableAnonymousUsers enables or disables anonymous authentication.
func (*TenantToCreate) EnableEmailLinkSignIn ¶
func (t *TenantToCreate) EnableEmailLinkSignIn(enable bool) *TenantToCreate
EnableEmailLinkSignIn enables or disables email link sign-in.
Disabling this makes the password required for email sign-in.
type TenantToUpdate ¶
type TenantToUpdate struct {
// contains filtered or unexported fields
}
TenantToUpdate represents the options used to update an existing tenant.
func (*TenantToUpdate) AllowPasswordSignUp ¶
func (t *TenantToUpdate) AllowPasswordSignUp(allow bool) *TenantToUpdate
AllowPasswordSignUp enables or disables email sign-in provider.
func (*TenantToUpdate) DisplayName ¶
func (t *TenantToUpdate) DisplayName(name string) *TenantToUpdate
DisplayName sets the display name of the new tenant.
func (*TenantToUpdate) EnableAnonymousUsers ¶
func (t *TenantToUpdate) EnableAnonymousUsers(enable bool) *TenantToUpdate
EnableAnonymousUsers enables or disables anonymous authentication.
func (*TenantToUpdate) EnableEmailLinkSignIn ¶
func (t *TenantToUpdate) EnableEmailLinkSignIn(enable bool) *TenantToUpdate
EnableEmailLinkSignIn enables or disables email link sign-in.
Disabling this makes the password required for email sign-in.
type Token ¶
type Token struct { AuthTime int64 `json:"auth_time"` Issuer string `json:"iss"` Audience string `json:"aud"` Expires int64 `json:"exp"` IssuedAt int64 `json:"iat"` Subject string `json:"sub,omitempty"` UID string `json:"uid,omitempty"` Firebase FirebaseInfo `json:"firebase"` Claims map[string]interface{} `json:"-"` }
Token represents a decoded Firebase ID token.
Token provides typed accessors to the common JWT fields such as Audience (aud) and Expiry (exp). Additionally it provides a UID field, which indicates the user ID of the account to which this token belongs. Any additional JWT claims can be accessed via the Claims map of Token.
type UIDIdentifier ¶
type UIDIdentifier struct {
UID string
}
A UIDIdentifier is used for looking up an account by uid.
See GetUsers function.
type UserIdentifier ¶
type UserIdentifier interface {
// contains filtered or unexported methods
}
A UserIdentifier identifies a user to be looked up.
type UserImportHash ¶
type UserImportHash interface {
Config() (internal.HashConfig, error)
}
UserImportHash represents a hash algorithm and the associated configuration that can be used to hash user passwords.
A UserImportHash must be specified in the form of a UserImportOption when importing users with passwords. See ImportUsers() and WithHash() functions.
type UserImportOption ¶
type UserImportOption interface {
// contains filtered or unexported methods
}
UserImportOption is an option for the ImportUsers() function.
func WithHash ¶
func WithHash(hash UserImportHash) UserImportOption
WithHash returns a UserImportOption that specifies a hash configuration.
type UserImportResult ¶
UserImportResult represents the result of an ImportUsers() call.
type UserInfo ¶
type UserInfo struct { DisplayName string `json:"displayName,omitempty"` Email string `json:"email,omitempty"` PhoneNumber string `json:"phoneNumber,omitempty"` PhotoURL string `json:"photoUrl,omitempty"` // In the ProviderUserInfo[] ProviderID can be a short domain name (e.g. google.com), // or the identity of an OpenID identity provider. // In UserRecord.UserInfo it will return the constant string "firebase". ProviderID string `json:"providerId,omitempty"` UID string `json:"rawId,omitempty"` }
UserInfo is a collection of standard profile information for a user.
type UserIterator ¶
type UserIterator struct {
// contains filtered or unexported fields
}
UserIterator is an iterator over Users.
Also see: https://github.com/GoogleCloudPlatform/google-cloud-go/wiki/Iterator-Guidelines
func (*UserIterator) Next ¶
func (it *UserIterator) Next() (*ExportedUserRecord, error)
Next returns the next result. Its second return value is iterator.Done if there are no more results. Once Next returns iterator.Done, all subsequent calls will return iterator.Done.
func (*UserIterator) PageInfo ¶
func (it *UserIterator) PageInfo() *iterator.PageInfo
PageInfo supports pagination. See the google.golang.org/api/iterator package for details. Page size can be determined by the NewPager(...) function described there.
type UserMetadata ¶
type UserMetadata struct { CreationTimestamp int64 LastLogInTimestamp int64 // The time at which the user was last active (ID token refreshed), or 0 if // the user was never active. LastRefreshTimestamp int64 }
UserMetadata contains additional metadata associated with a user account. Timestamps are in milliseconds since epoch.
type UserProvider ¶
type UserProvider struct { UID string `json:"rawId"` ProviderID string `json:"providerId"` Email string `json:"email,omitempty"` DisplayName string `json:"displayName,omitempty"` PhotoURL string `json:"photoUrl,omitempty"` }
UserProvider represents a user identity provider.
One or more user providers can be specified for each user when importing in bulk. See UserToImport type.
type UserRecord ¶
type UserRecord struct { *UserInfo CustomClaims map[string]interface{} Disabled bool EmailVerified bool ProviderUserInfo []*UserInfo TokensValidAfterMillis int64 // milliseconds since epoch. UserMetadata *UserMetadata TenantID string MultiFactor *MultiFactorSettings }
UserRecord contains metadata associated with a Firebase user account.
type UserToCreate ¶
type UserToCreate struct {
// contains filtered or unexported fields
}
UserToCreate is the parameter struct for the CreateUser function.
func (*UserToCreate) Disabled ¶
func (u *UserToCreate) Disabled(disabled bool) *UserToCreate
Disabled setter.
func (*UserToCreate) DisplayName ¶
func (u *UserToCreate) DisplayName(name string) *UserToCreate
DisplayName setter.
func (*UserToCreate) EmailVerified ¶
func (u *UserToCreate) EmailVerified(verified bool) *UserToCreate
EmailVerified setter.
func (*UserToCreate) Password ¶
func (u *UserToCreate) Password(pw string) *UserToCreate
Password setter.
func (*UserToCreate) PhoneNumber ¶
func (u *UserToCreate) PhoneNumber(phone string) *UserToCreate
PhoneNumber setter.
func (*UserToCreate) PhotoURL ¶
func (u *UserToCreate) PhotoURL(url string) *UserToCreate
PhotoURL setter.
type UserToImport ¶
type UserToImport struct {
// contains filtered or unexported fields
}
UserToImport represents a user account that can be bulk imported into Firebase Auth.
func (*UserToImport) CustomClaims ¶
func (u *UserToImport) CustomClaims(claims map[string]interface{}) *UserToImport
CustomClaims setter.
func (*UserToImport) Disabled ¶
func (u *UserToImport) Disabled(disabled bool) *UserToImport
Disabled setter.
func (*UserToImport) DisplayName ¶
func (u *UserToImport) DisplayName(displayName string) *UserToImport
DisplayName setter.
func (*UserToImport) EmailVerified ¶
func (u *UserToImport) EmailVerified(emailVerified bool) *UserToImport
EmailVerified setter.
func (*UserToImport) Metadata ¶
func (u *UserToImport) Metadata(metadata *UserMetadata) *UserToImport
Metadata setter.
func (*UserToImport) PasswordHash ¶
func (u *UserToImport) PasswordHash(password []byte) *UserToImport
PasswordHash setter. When set, a UserImportHash must be specified as an option to call ImportUsers().
func (*UserToImport) PasswordSalt ¶
func (u *UserToImport) PasswordSalt(salt []byte) *UserToImport
PasswordSalt setter.
func (*UserToImport) PhoneNumber ¶
func (u *UserToImport) PhoneNumber(phoneNumber string) *UserToImport
PhoneNumber setter.
func (*UserToImport) PhotoURL ¶
func (u *UserToImport) PhotoURL(url string) *UserToImport
PhotoURL setter.
func (*UserToImport) ProviderData ¶
func (u *UserToImport) ProviderData(providers []*UserProvider) *UserToImport
ProviderData setter.
func (*UserToImport) UID ¶
func (u *UserToImport) UID(uid string) *UserToImport
UID setter. This field is required.
type UserToUpdate ¶
type UserToUpdate struct {
// contains filtered or unexported fields
}
UserToUpdate is the parameter struct for the UpdateUser function.
func (*UserToUpdate) CustomClaims ¶
func (u *UserToUpdate) CustomClaims(claims map[string]interface{}) *UserToUpdate
CustomClaims setter.
func (*UserToUpdate) Disabled ¶
func (u *UserToUpdate) Disabled(disabled bool) *UserToUpdate
Disabled setter.
func (*UserToUpdate) DisplayName ¶
func (u *UserToUpdate) DisplayName(name string) *UserToUpdate
DisplayName setter. Set to empty string to remove the display name from the user account.
func (*UserToUpdate) EmailVerified ¶
func (u *UserToUpdate) EmailVerified(verified bool) *UserToUpdate
EmailVerified setter.
func (*UserToUpdate) Password ¶
func (u *UserToUpdate) Password(pw string) *UserToUpdate
Password setter.
func (*UserToUpdate) PhoneNumber ¶
func (u *UserToUpdate) PhoneNumber(phone string) *UserToUpdate
PhoneNumber setter. Set to empty string to remove the phone number and the corresponding auth provider from the user account.
func (*UserToUpdate) PhotoURL ¶
func (u *UserToUpdate) PhotoURL(url string) *UserToUpdate
PhotoURL setter. Set to empty string to remove the photo URL from the user account.
func (*UserToUpdate) ProviderToLink ¶
func (u *UserToUpdate) ProviderToLink(userProvider *UserProvider) *UserToUpdate
ProviderToLink links this user to the specified provider.
Linking a provider to an existing user account does not invalidate the refresh token of that account. In other words, the existing account would continue to be able to access resources, despite not having used the newly linked provider to log in. If you wish to force the user to authenticate with this new provider, you need to (a) revoke their refresh token (see https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens), and (b) ensure no other authentication methods are present on this account.
func (*UserToUpdate) ProvidersToDelete ¶
func (u *UserToUpdate) ProvidersToDelete(providerIds []string) *UserToUpdate
ProvidersToDelete unlinks this user from the specified providers.