auth

package
v3.12.1+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 19, 2020 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Overview

Package auth contains functions for minting custom authentication tokens, verifying Firebase ID tokens, and managing users in a Firebase project.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IsConfigurationNotFound

func IsConfigurationNotFound(err error) bool

IsConfigurationNotFound checks if the given error was due to a non-existing IdP configuration.

func IsEmailAlreadyExists

func IsEmailAlreadyExists(err error) bool

IsEmailAlreadyExists checks if the given error was due to a duplicate email.

func IsIDTokenRevoked

func IsIDTokenRevoked(err error) bool

IsIDTokenRevoked checks if the given error was due to a revoked ID token.

func IsInsufficientPermission

func IsInsufficientPermission(err error) bool

IsInsufficientPermission checks if the given error was due to insufficient permissions.

func IsInvalidDynamicLinkDomain

func IsInvalidDynamicLinkDomain(err error) bool

IsInvalidDynamicLinkDomain checks if the given error was due to an invalid dynamic link domain.

func IsInvalidEmail

func IsInvalidEmail(err error) bool

IsInvalidEmail checks if the given error was due to an invalid email.

func IsPhoneNumberAlreadyExists

func IsPhoneNumberAlreadyExists(err error) bool

IsPhoneNumberAlreadyExists checks if the given error was due to a duplicate phone number.

func IsProjectNotFound

func IsProjectNotFound(err error) bool

IsProjectNotFound checks if the given error was due to a non-existing project.

func IsSessionCookieRevoked

func IsSessionCookieRevoked(err error) bool

IsSessionCookieRevoked checks if the given error was due to a revoked session cookie.

func IsTenantIDMismatch

func IsTenantIDMismatch(err error) bool

IsTenantIDMismatch checks if the given error was due to a mismatched tenant ID in a JWT.

func IsTenantNotFound

func IsTenantNotFound(err error) bool

IsTenantNotFound checks if the given error was due to a non-existing tenant ID.

func IsUIDAlreadyExists

func IsUIDAlreadyExists(err error) bool

IsUIDAlreadyExists checks if the given error was due to a duplicate uid.

func IsUnauthorizedContinueURI

func IsUnauthorizedContinueURI(err error) bool

IsUnauthorizedContinueURI checks if the given error was due to an unauthorized continue URI domain.

func IsUnknown

func IsUnknown(err error) bool

IsUnknown checks if the given error was due to a unknown server error.

func IsUserNotFound

func IsUserNotFound(err error) bool

IsUserNotFound checks if the given error was due to non-existing user.

Types

type ActionCodeSettings

type ActionCodeSettings struct {
	URL                   string `json:"continueUrl"`
	HandleCodeInApp       bool   `json:"canHandleCodeInApp"`
	IOSBundleID           string `json:"iOSBundleId,omitempty"`
	AndroidPackageName    string `json:"androidPackageName,omitempty"`
	AndroidMinimumVersion string `json:"androidMinimumVersion,omitempty"`
	AndroidInstallApp     bool   `json:"androidInstallApp,omitempty"`
	DynamicLinkDomain     string `json:"dynamicLinkDomain,omitempty"`
}

ActionCodeSettings specifies the required continue/state URL with optional Android and iOS settings. Used when invoking the email action link generation APIs.

type Client

type Client struct {
	TenantManager *TenantManager
	// contains filtered or unexported fields
}

Client is the interface for the Firebase auth service.

Client facilitates generating custom JWT tokens for Firebase clients, and verifying ID tokens issued by Firebase backend services.

func NewClient

func NewClient(ctx context.Context, conf *internal.AuthConfig) (*Client, error)

NewClient creates a new instance of the Firebase Auth Client.

This function can only be invoked from within the SDK. Client applications should access the Auth service through firebase.App.

func (Client) CreateOIDCProviderConfig

func (c Client) CreateOIDCProviderConfig(ctx context.Context, config *OIDCProviderConfigToCreate) (*OIDCProviderConfig, error)

CreateOIDCProviderConfig creates a new OIDC provider config from the given parameters.

func (Client) CreateSAMLProviderConfig

func (c Client) CreateSAMLProviderConfig(ctx context.Context, config *SAMLProviderConfigToCreate) (*SAMLProviderConfig, error)

CreateSAMLProviderConfig creates a new SAML provider config from the given parameters.

func (Client) CreateUser

func (c Client) CreateUser(ctx context.Context, user *UserToCreate) (*UserRecord, error)

CreateUser creates a new user with the specified properties.

func (*Client) CustomToken

func (c *Client) CustomToken(ctx context.Context, uid string) (string, error)

CustomToken creates a signed custom authentication token with the specified user ID.

The resulting JWT can be used in a Firebase client SDK to trigger an authentication flow. See https://firebase.google.com/docs/auth/admin/create-custom-tokens#sign_in_using_custom_tokens_on_clients for more details on how to use custom tokens for client authentication.

CustomToken follows the protocol outlined below to sign the generated tokens:

  • If the SDK was initialized with service account credentials, uses the private key present in the credentials to sign tokens locally.
  • If a service account email was specified during initialization (via firebase.Config struct), calls the IAM service with that email to sign tokens remotely. See https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signBlob.
  • If the code is deployed in the Google App Engine standard environment, uses the App Identity service to sign tokens. See https://cloud.google.com/appengine/docs/standard/go/reference#SignBytes.
  • If the code is deployed in a different GCP-managed environment (e.g. Google Compute Engine), uses the local Metadata server to auto discover a service account email. This is used in conjunction with the IAM service to sign tokens remotely.

CustomToken returns an error the SDK fails to discover a viable mechanism for signing tokens.

func (*Client) CustomTokenWithClaims

func (c *Client) CustomTokenWithClaims(ctx context.Context, uid string, devClaims map[string]interface{}) (string, error)

CustomTokenWithClaims is similar to CustomToken, but in addition to the user ID, it also encodes all the key-value pairs in the provided map as claims in the resulting JWT.

func (Client) DeleteOIDCProviderConfig

func (c Client) DeleteOIDCProviderConfig(ctx context.Context, id string) error

DeleteOIDCProviderConfig deletes the OIDCProviderConfig with the given ID.

func (Client) DeleteSAMLProviderConfig

func (c Client) DeleteSAMLProviderConfig(ctx context.Context, id string) error

DeleteSAMLProviderConfig deletes the SAMLProviderConfig with the given ID.

func (Client) DeleteUser

func (c Client) DeleteUser(ctx context.Context, uid string) error

DeleteUser deletes the user by the given UID.

func (c Client) EmailSignInLink(
	ctx context.Context, email string, settings *ActionCodeSettings) (string, error)

EmailSignInLink generates the out-of-band email action link for email link sign-in flows, using the action code settings provided.

func (c Client) EmailVerificationLink(ctx context.Context, email string) (string, error)

EmailVerificationLink generates the out-of-band email action link for email verification flows for the specified email address.

func (Client) EmailVerificationLinkWithSettings

func (c Client) EmailVerificationLinkWithSettings(
	ctx context.Context, email string, settings *ActionCodeSettings) (string, error)

EmailVerificationLinkWithSettings generates the out-of-band email action link for email verification flows for the specified email address, using the action code settings provided.

func (Client) GetUser

func (c Client) GetUser(ctx context.Context, uid string) (*UserRecord, error)

GetUser gets the user data corresponding to the specified user ID.

func (Client) GetUserByEmail

func (c Client) GetUserByEmail(ctx context.Context, email string) (*UserRecord, error)

GetUserByEmail gets the user data corresponding to the specified email.

func (Client) GetUserByPhoneNumber

func (c Client) GetUserByPhoneNumber(ctx context.Context, phone string) (*UserRecord, error)

GetUserByPhoneNumber gets the user data corresponding to the specified user phone number.

func (Client) ImportUsers

func (c Client) ImportUsers(
	ctx context.Context, users []*UserToImport, opts ...UserImportOption) (*UserImportResult, error)

ImportUsers imports an array of users to Firebase Auth.

No more than 1000 users can be imported in a single call. If at least one user specifies a password, a UserImportHash must be specified as an option.

func (Client) OIDCProviderConfig

func (c Client) OIDCProviderConfig(ctx context.Context, id string) (*OIDCProviderConfig, error)

OIDCProviderConfig returns the OIDCProviderConfig with the given ID.

func (Client) OIDCProviderConfigs

func (c Client) OIDCProviderConfigs(ctx context.Context, nextPageToken string) *OIDCProviderConfigIterator

OIDCProviderConfigs returns an iterator over OIDC provider configurations.

If nextPageToken is empty, the iterator will start at the beginning. Otherwise, iterator starts after the token.

func (c Client) PasswordResetLink(ctx context.Context, email string) (string, error)

PasswordResetLink generates the out-of-band email action link for password reset flows for the specified email address.

func (Client) PasswordResetLinkWithSettings

func (c Client) PasswordResetLinkWithSettings(
	ctx context.Context, email string, settings *ActionCodeSettings) (string, error)

PasswordResetLinkWithSettings generates the out-of-band email action link for password reset flows for the specified email address, using the action code settings provided.

func (Client) RevokeRefreshTokens

func (c Client) RevokeRefreshTokens(ctx context.Context, uid string) error

RevokeRefreshTokens revokes all refresh tokens issued to a user.

RevokeRefreshTokens updates the user's TokensValidAfterMillis to the current UTC second. It is important that the server on which this is called has its clock set correctly and synchronized.

While this revokes all sessions for a specified user and disables any new ID tokens for existing sessions from getting minted, existing ID tokens may remain active until their natural expiration (one hour). To verify that ID tokens are revoked, use `verifyIdTokenAndCheckRevoked(ctx, idToken)`.

func (Client) SAMLProviderConfig

func (c Client) SAMLProviderConfig(ctx context.Context, id string) (*SAMLProviderConfig, error)

SAMLProviderConfig returns the SAMLProviderConfig with the given ID.

func (Client) SAMLProviderConfigs

func (c Client) SAMLProviderConfigs(ctx context.Context, nextPageToken string) *SAMLProviderConfigIterator

SAMLProviderConfigs returns an iterator over SAML provider configurations.

If nextPageToken is empty, the iterator will start at the beginning. Otherwise, iterator starts after the token.

func (*Client) SessionCookie

func (c *Client) SessionCookie(
	ctx context.Context,
	idToken string,
	expiresIn time.Duration,
) (string, error)

SessionCookie creates a new Firebase session cookie from the given ID token and expiry duration. The returned JWT can be set as a server-side session cookie with a custom cookie policy. Expiry duration must be at least 5 minutes but may not exceed 14 days.

func (Client) SetCustomUserClaims

func (c Client) SetCustomUserClaims(ctx context.Context, uid string, customClaims map[string]interface{}) error

SetCustomUserClaims sets additional claims on an existing user account.

Custom claims set via this function can be used to define user roles and privilege levels. These claims propagate to all the devices where the user is already signed in (after token expiration or when token refresh is forced), and next time the user signs in. The claims can be accessed via the user's ID token JWT. If a reserved OIDC claim is specified (sub, iat, iss, etc), an error is thrown. Claims payload must also not be larger then 1000 characters when serialized into a JSON string.

func (Client) UpdateOIDCProviderConfig

func (c Client) UpdateOIDCProviderConfig(ctx context.Context, id string, config *OIDCProviderConfigToUpdate) (*OIDCProviderConfig, error)

UpdateOIDCProviderConfig updates an existing OIDC provider config with the given parameters.

func (Client) UpdateSAMLProviderConfig

func (c Client) UpdateSAMLProviderConfig(ctx context.Context, id string, config *SAMLProviderConfigToUpdate) (*SAMLProviderConfig, error)

UpdateSAMLProviderConfig updates an existing SAML provider config with the given parameters.

func (Client) UpdateUser

func (c Client) UpdateUser(
	ctx context.Context, uid string, user *UserToUpdate) (ur *UserRecord, err error)

UpdateUser updates an existing user account with the specified properties.

func (Client) Users

func (c Client) Users(ctx context.Context, nextPageToken string) *UserIterator

Users returns an iterator over Users.

If nextPageToken is empty, the iterator will start at the beginning. If the nextPageToken is not empty, the iterator starts after the token.

func (Client) VerifyIDToken

func (c Client) VerifyIDToken(ctx context.Context, idToken string) (*Token, error)

VerifyIDToken verifies the signature and payload of the provided ID token.

VerifyIDToken accepts a signed JWT token string, and verifies that it is current, issued for the correct Firebase project, and signed by the Google Firebase services in the cloud. It returns a Token containing the decoded claims in the input JWT. See https://firebase.google.com/docs/auth/admin/verify-id-tokens#retrieve_id_tokens_on_clients for more details on how to obtain an ID token in a client app.

This function does not make any RPC calls most of the time. The only time it makes an RPC call is when Google public keys need to be refreshed. These keys get cached up to 24 hours, and therefore the RPC overhead gets amortized over many invocations of this function.

This does not check whether or not the token has been revoked. Use `VerifyIDTokenAndCheckRevoked()` when a revocation check is needed.

func (Client) VerifyIDTokenAndCheckRevoked

func (c Client) VerifyIDTokenAndCheckRevoked(ctx context.Context, idToken string) (*Token, error)

VerifyIDTokenAndCheckRevoked verifies the provided ID token, and additionally checks that the token has not been revoked.

This function uses `VerifyIDToken()` internally to verify the ID token JWT. However, unlike `VerifyIDToken()` this function must make an RPC call to perform the revocation check. Developers are advised to take this additional overhead into consideration when including this function in an authorization flow that gets executed often.

func (*Client) VerifySessionCookie

func (c *Client) VerifySessionCookie(ctx context.Context, sessionCookie string) (*Token, error)

VerifySessionCookie verifies the signature and payload of the provided Firebase session cookie.

VerifySessionCookie accepts a signed JWT token string, and verifies that it is current, issued for the correct Firebase project, and signed by the Google Firebase services in the cloud. It returns a Token containing the decoded claims in the input JWT. See https://firebase.google.com/docs/auth/admin/manage-cookies for more details on how to obtain a session cookie.

This function does not make any RPC calls most of the time. The only time it makes an RPC call is when Google public keys need to be refreshed. These keys get cached up to 24 hours, and therefore the RPC overhead gets amortized over many invocations of this function.

This does not check whether or not the cookie has been revoked. Use `VerifySessionCookieAndCheckRevoked()` when a revocation check is needed.

func (*Client) VerifySessionCookieAndCheckRevoked

func (c *Client) VerifySessionCookieAndCheckRevoked(ctx context.Context, sessionCookie string) (*Token, error)

VerifySessionCookieAndCheckRevoked verifies the provided session cookie, and additionally checks that the cookie has not been revoked.

This function uses `VerifySessionCookie()` internally to verify the cookie JWT. However, unlike `VerifySessionCookie()` this function must make an RPC call to perform the revocation check. Developers are advised to take this additional overhead into consideration when including this function in an authorization flow that gets executed often.

type ErrorInfo

type ErrorInfo struct {
	Index  int
	Reason string
}

ErrorInfo represents an error encountered while importing a single user account.

The Index field corresponds to the index of the failed user in the users array that was passed to ImportUsers().

type ExportedUserRecord

type ExportedUserRecord struct {
	*UserRecord
	PasswordHash string
	PasswordSalt string
}

ExportedUserRecord is the returned user value used when listing all the users.

type FirebaseInfo

type FirebaseInfo struct {
	SignInProvider string                 `json:"sign_in_provider"`
	Tenant         string                 `json:"tenant"`
	Identities     map[string]interface{} `json:"identities"`
}

FirebaseInfo represents the information about the sign-in event, including which auth provider was used and provider-specific identity details.

This data is provided by the Firebase Auth service and is a reserved claim in the ID token.

type OIDCProviderConfig

type OIDCProviderConfig struct {
	ID          string
	DisplayName string
	Enabled     bool
	ClientID    string
	Issuer      string
}

OIDCProviderConfig is the OIDC auth provider configuration. See https://openid.net/specs/openid-connect-core-1_0-final.html.

type OIDCProviderConfigIterator

type OIDCProviderConfigIterator struct {
	// contains filtered or unexported fields
}

OIDCProviderConfigIterator is an iterator over OIDC provider configurations.

func (*OIDCProviderConfigIterator) Next

Next returns the next OIDCProviderConfig. The error value of iterator.Done is returned if there are no more results. Once Next returns iterator.Done, all subsequent calls will return iterator.Done.

func (*OIDCProviderConfigIterator) PageInfo

PageInfo supports pagination.

type OIDCProviderConfigToCreate

type OIDCProviderConfigToCreate struct {
	// contains filtered or unexported fields
}

OIDCProviderConfigToCreate represents the options used to create a new OIDCProviderConfig.

func (*OIDCProviderConfigToCreate) ClientID

func (config *OIDCProviderConfigToCreate) ClientID(clientID string) *OIDCProviderConfigToCreate

ClientID sets the client ID of the new config.

func (*OIDCProviderConfigToCreate) DisplayName

DisplayName sets the DisplayName field of the new config.

func (*OIDCProviderConfigToCreate) Enabled

Enabled enables or disables the new config.

func (*OIDCProviderConfigToCreate) ID

ID sets the provider ID of the new config.

func (*OIDCProviderConfigToCreate) Issuer

Issuer sets the issuer of the new config.

type OIDCProviderConfigToUpdate

type OIDCProviderConfigToUpdate struct {
	// contains filtered or unexported fields
}

OIDCProviderConfigToUpdate represents the options used to update an existing OIDCProviderConfig.

func (*OIDCProviderConfigToUpdate) ClientID

func (config *OIDCProviderConfigToUpdate) ClientID(clientID string) *OIDCProviderConfigToUpdate

ClientID updates the client ID of the config.

func (*OIDCProviderConfigToUpdate) DisplayName

DisplayName updates the DisplayName field of the config.

func (*OIDCProviderConfigToUpdate) Enabled

Enabled enables or disables the config.

func (*OIDCProviderConfigToUpdate) Issuer

Issuer updates the issuer of the config.

type SAMLProviderConfig

type SAMLProviderConfig struct {
	ID                    string
	DisplayName           string
	Enabled               bool
	IDPEntityID           string
	SSOURL                string
	RequestSigningEnabled bool
	X509Certificates      []string
	RPEntityID            string
	CallbackURL           string
}

SAMLProviderConfig is the SAML auth provider configuration. See http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html.

type SAMLProviderConfigIterator

type SAMLProviderConfigIterator struct {
	// contains filtered or unexported fields
}

SAMLProviderConfigIterator is an iterator over SAML provider configurations.

func (*SAMLProviderConfigIterator) Next

Next returns the next SAMLProviderConfig. The error value of iterator.Done is returned if there are no more results. Once Next returns iterator.Done, all subsequent calls will return iterator.Done.

func (*SAMLProviderConfigIterator) PageInfo

PageInfo supports pagination.

type SAMLProviderConfigToCreate

type SAMLProviderConfigToCreate struct {
	// contains filtered or unexported fields
}

SAMLProviderConfigToCreate represents the options used to create a new SAMLProviderConfig.

func (*SAMLProviderConfigToCreate) CallbackURL

CallbackURL sets the CallbackURL field of the new config.

func (*SAMLProviderConfigToCreate) DisplayName

DisplayName sets the DisplayName field of the new config.

func (*SAMLProviderConfigToCreate) Enabled

Enabled enables or disables the new config.

func (*SAMLProviderConfigToCreate) ID

ID sets the provider ID of the new config.

func (*SAMLProviderConfigToCreate) IDPEntityID

func (config *SAMLProviderConfigToCreate) IDPEntityID(entityID string) *SAMLProviderConfigToCreate

IDPEntityID sets the IDPEntityID field of the new config.

func (*SAMLProviderConfigToCreate) RPEntityID

func (config *SAMLProviderConfigToCreate) RPEntityID(entityID string) *SAMLProviderConfigToCreate

RPEntityID sets the RPEntityID field of the new config.

func (*SAMLProviderConfigToCreate) RequestSigningEnabled

func (config *SAMLProviderConfigToCreate) RequestSigningEnabled(enabled bool) *SAMLProviderConfigToCreate

RequestSigningEnabled enables or disables the request signing support.

func (*SAMLProviderConfigToCreate) SSOURL

SSOURL sets the SSOURL field of the new config.

func (*SAMLProviderConfigToCreate) X509Certificates

func (config *SAMLProviderConfigToCreate) X509Certificates(certs []string) *SAMLProviderConfigToCreate

X509Certificates sets the certificates for the new config.

type SAMLProviderConfigToUpdate

type SAMLProviderConfigToUpdate struct {
	// contains filtered or unexported fields
}

SAMLProviderConfigToUpdate represents the options used to update an existing SAMLProviderConfig.

func (*SAMLProviderConfigToUpdate) CallbackURL

CallbackURL updates the CallbackURL field of the config.

func (*SAMLProviderConfigToUpdate) DisplayName

DisplayName updates the DisplayName field of the config.

func (*SAMLProviderConfigToUpdate) Enabled

Enabled enables or disables the config.

func (*SAMLProviderConfigToUpdate) IDPEntityID

func (config *SAMLProviderConfigToUpdate) IDPEntityID(entityID string) *SAMLProviderConfigToUpdate

IDPEntityID the IDPEntityID field of the config.

func (*SAMLProviderConfigToUpdate) RPEntityID

func (config *SAMLProviderConfigToUpdate) RPEntityID(entityID string) *SAMLProviderConfigToUpdate

RPEntityID updates the RPEntityID field of the config.

func (*SAMLProviderConfigToUpdate) RequestSigningEnabled

func (config *SAMLProviderConfigToUpdate) RequestSigningEnabled(enabled bool) *SAMLProviderConfigToUpdate

RequestSigningEnabled enables or disables the request signing support.

func (*SAMLProviderConfigToUpdate) SSOURL

SSOURL updates the SSOURL field of the config.

func (*SAMLProviderConfigToUpdate) X509Certificates

func (config *SAMLProviderConfigToUpdate) X509Certificates(certs []string) *SAMLProviderConfigToUpdate

X509Certificates updates the certificates of the config.

type Tenant

type Tenant struct {
	ID                    string `json:"name"`
	DisplayName           string `json:"displayName"`
	AllowPasswordSignUp   bool   `json:"allowPasswordSignup"`
	EnableEmailLinkSignIn bool   `json:"enableEmailLinkSignin"`
}

Tenant represents a tenant in a multi-tenant application.

Multi-tenancy support requires Google Cloud's Identity Platform (GCIP). To learn more about GCIP, including pricing and features, see https://cloud.google.com/identity-platform.

Before multi-tenancy can be used in a Google Cloud Identity Platform project, tenants must be enabled in that project via the Cloud Console UI.

A tenant configuration provides information such as the display name, tenant identifier and email authentication configuration. For OIDC/SAML provider configuration management, TenantClient instances should be used instead of a Tenant to retrieve the list of configured IdPs on a tenant. When configuring these providers, note that tenants will inherit whitelisted domains and authenticated redirect URIs of their parent project.

All other settings of a tenant will also be inherited. These will need to be managed from the Cloud Console UI.

type TenantClient

type TenantClient struct {
	// contains filtered or unexported fields
}

TenantClient is used for managing users, configuring SAML/OIDC providers, and generating email links for specific tenants.

Before multi-tenancy can be used in a Google Cloud Identity Platform project, tenants must be enabled in that project via the Cloud Console UI.

Each tenant contains its own identity providers, settings and users. TenantClient enables managing users and SAML/OIDC configurations of specific tenants. It also supports verifying ID tokens issued to users who are signed into specific tenants.

TenantClient instances for a specific tenantID can be instantiated by calling [TenantManager.AuthForTenant(tenantID)].

func (TenantClient) CreateOIDCProviderConfig

func (c TenantClient) CreateOIDCProviderConfig(ctx context.Context, config *OIDCProviderConfigToCreate) (*OIDCProviderConfig, error)

CreateOIDCProviderConfig creates a new OIDC provider config from the given parameters.

func (TenantClient) CreateSAMLProviderConfig

func (c TenantClient) CreateSAMLProviderConfig(ctx context.Context, config *SAMLProviderConfigToCreate) (*SAMLProviderConfig, error)

CreateSAMLProviderConfig creates a new SAML provider config from the given parameters.

func (TenantClient) CreateUser

func (c TenantClient) CreateUser(ctx context.Context, user *UserToCreate) (*UserRecord, error)

CreateUser creates a new user with the specified properties.

func (TenantClient) DeleteOIDCProviderConfig

func (c TenantClient) DeleteOIDCProviderConfig(ctx context.Context, id string) error

DeleteOIDCProviderConfig deletes the OIDCProviderConfig with the given ID.

func (TenantClient) DeleteSAMLProviderConfig

func (c TenantClient) DeleteSAMLProviderConfig(ctx context.Context, id string) error

DeleteSAMLProviderConfig deletes the SAMLProviderConfig with the given ID.

func (TenantClient) DeleteUser

func (c TenantClient) DeleteUser(ctx context.Context, uid string) error

DeleteUser deletes the user by the given UID.

func (c TenantClient) EmailSignInLink(
	ctx context.Context, email string, settings *ActionCodeSettings) (string, error)

EmailSignInLink generates the out-of-band email action link for email link sign-in flows, using the action code settings provided.

func (c TenantClient) EmailVerificationLink(ctx context.Context, email string) (string, error)

EmailVerificationLink generates the out-of-band email action link for email verification flows for the specified email address.

func (TenantClient) EmailVerificationLinkWithSettings

func (c TenantClient) EmailVerificationLinkWithSettings(
	ctx context.Context, email string, settings *ActionCodeSettings) (string, error)

EmailVerificationLinkWithSettings generates the out-of-band email action link for email verification flows for the specified email address, using the action code settings provided.

func (TenantClient) GetUser

func (c TenantClient) GetUser(ctx context.Context, uid string) (*UserRecord, error)

GetUser gets the user data corresponding to the specified user ID.

func (TenantClient) GetUserByEmail

func (c TenantClient) GetUserByEmail(ctx context.Context, email string) (*UserRecord, error)

GetUserByEmail gets the user data corresponding to the specified email.

func (TenantClient) GetUserByPhoneNumber

func (c TenantClient) GetUserByPhoneNumber(ctx context.Context, phone string) (*UserRecord, error)

GetUserByPhoneNumber gets the user data corresponding to the specified user phone number.

func (TenantClient) ImportUsers

func (c TenantClient) ImportUsers(
	ctx context.Context, users []*UserToImport, opts ...UserImportOption) (*UserImportResult, error)

ImportUsers imports an array of users to Firebase Auth.

No more than 1000 users can be imported in a single call. If at least one user specifies a password, a UserImportHash must be specified as an option.

func (TenantClient) OIDCProviderConfig

func (c TenantClient) OIDCProviderConfig(ctx context.Context, id string) (*OIDCProviderConfig, error)

OIDCProviderConfig returns the OIDCProviderConfig with the given ID.

func (TenantClient) OIDCProviderConfigs

func (c TenantClient) OIDCProviderConfigs(ctx context.Context, nextPageToken string) *OIDCProviderConfigIterator

OIDCProviderConfigs returns an iterator over OIDC provider configurations.

If nextPageToken is empty, the iterator will start at the beginning. Otherwise, iterator starts after the token.

func (c TenantClient) PasswordResetLink(ctx context.Context, email string) (string, error)

PasswordResetLink generates the out-of-band email action link for password reset flows for the specified email address.

func (TenantClient) PasswordResetLinkWithSettings

func (c TenantClient) PasswordResetLinkWithSettings(
	ctx context.Context, email string, settings *ActionCodeSettings) (string, error)

PasswordResetLinkWithSettings generates the out-of-band email action link for password reset flows for the specified email address, using the action code settings provided.

func (TenantClient) RevokeRefreshTokens

func (c TenantClient) RevokeRefreshTokens(ctx context.Context, uid string) error

RevokeRefreshTokens revokes all refresh tokens issued to a user.

RevokeRefreshTokens updates the user's TokensValidAfterMillis to the current UTC second. It is important that the server on which this is called has its clock set correctly and synchronized.

While this revokes all sessions for a specified user and disables any new ID tokens for existing sessions from getting minted, existing ID tokens may remain active until their natural expiration (one hour). To verify that ID tokens are revoked, use `verifyIdTokenAndCheckRevoked(ctx, idToken)`.

func (TenantClient) SAMLProviderConfig

func (c TenantClient) SAMLProviderConfig(ctx context.Context, id string) (*SAMLProviderConfig, error)

SAMLProviderConfig returns the SAMLProviderConfig with the given ID.

func (TenantClient) SAMLProviderConfigs

func (c TenantClient) SAMLProviderConfigs(ctx context.Context, nextPageToken string) *SAMLProviderConfigIterator

SAMLProviderConfigs returns an iterator over SAML provider configurations.

If nextPageToken is empty, the iterator will start at the beginning. Otherwise, iterator starts after the token.

func (TenantClient) SetCustomUserClaims

func (c TenantClient) SetCustomUserClaims(ctx context.Context, uid string, customClaims map[string]interface{}) error

SetCustomUserClaims sets additional claims on an existing user account.

Custom claims set via this function can be used to define user roles and privilege levels. These claims propagate to all the devices where the user is already signed in (after token expiration or when token refresh is forced), and next time the user signs in. The claims can be accessed via the user's ID token JWT. If a reserved OIDC claim is specified (sub, iat, iss, etc), an error is thrown. Claims payload must also not be larger then 1000 characters when serialized into a JSON string.

func (*TenantClient) TenantID

func (tc *TenantClient) TenantID() string

TenantID returns the ID of the tenant to which this TenantClient instance belongs.

func (TenantClient) UpdateOIDCProviderConfig

func (c TenantClient) UpdateOIDCProviderConfig(ctx context.Context, id string, config *OIDCProviderConfigToUpdate) (*OIDCProviderConfig, error)

UpdateOIDCProviderConfig updates an existing OIDC provider config with the given parameters.

func (TenantClient) UpdateSAMLProviderConfig

func (c TenantClient) UpdateSAMLProviderConfig(ctx context.Context, id string, config *SAMLProviderConfigToUpdate) (*SAMLProviderConfig, error)

UpdateSAMLProviderConfig updates an existing SAML provider config with the given parameters.

func (TenantClient) UpdateUser

func (c TenantClient) UpdateUser(
	ctx context.Context, uid string, user *UserToUpdate) (ur *UserRecord, err error)

UpdateUser updates an existing user account with the specified properties.

func (TenantClient) Users

func (c TenantClient) Users(ctx context.Context, nextPageToken string) *UserIterator

Users returns an iterator over Users.

If nextPageToken is empty, the iterator will start at the beginning. If the nextPageToken is not empty, the iterator starts after the token.

func (TenantClient) VerifyIDToken

func (c TenantClient) VerifyIDToken(ctx context.Context, idToken string) (*Token, error)

VerifyIDToken verifies the signature and payload of the provided ID token.

VerifyIDToken accepts a signed JWT token string, and verifies that it is current, issued for the correct Firebase project, and signed by the Google Firebase services in the cloud. It returns a Token containing the decoded claims in the input JWT. See https://firebase.google.com/docs/auth/admin/verify-id-tokens#retrieve_id_tokens_on_clients for more details on how to obtain an ID token in a client app.

This function does not make any RPC calls most of the time. The only time it makes an RPC call is when Google public keys need to be refreshed. These keys get cached up to 24 hours, and therefore the RPC overhead gets amortized over many invocations of this function.

This does not check whether or not the token has been revoked. Use `VerifyIDTokenAndCheckRevoked()` when a revocation check is needed.

func (TenantClient) VerifyIDTokenAndCheckRevoked

func (c TenantClient) VerifyIDTokenAndCheckRevoked(ctx context.Context, idToken string) (*Token, error)

VerifyIDTokenAndCheckRevoked verifies the provided ID token, and additionally checks that the token has not been revoked.

This function uses `VerifyIDToken()` internally to verify the ID token JWT. However, unlike `VerifyIDToken()` this function must make an RPC call to perform the revocation check. Developers are advised to take this additional overhead into consideration when including this function in an authorization flow that gets executed often.

type TenantIterator

type TenantIterator struct {
	// contains filtered or unexported fields
}

TenantIterator is an iterator over tenants.

func (*TenantIterator) Next

func (it *TenantIterator) Next() (*Tenant, error)

Next returns the next Tenant. The error value of iterator.Done is returned if there are no more results. Once Next returns iterator.Done, all subsequent calls will return iterator.Done.

func (*TenantIterator) PageInfo

func (it *TenantIterator) PageInfo() *iterator.PageInfo

PageInfo supports pagination.

type TenantManager

type TenantManager struct {
	// contains filtered or unexported fields
}

TenantManager is the interface used to manage tenants in a multi-tenant application.

This supports creating, updating, listing, deleting the tenants of a Firebase project. It also supports creating new TenantClient instances scoped to specific tenant IDs.

func (*TenantManager) AuthForTenant

func (tm *TenantManager) AuthForTenant(tenantID string) (*TenantClient, error)

AuthForTenant creates a new TenantClient scoped to a given tenantID.

func (*TenantManager) CreateTenant

func (tm *TenantManager) CreateTenant(ctx context.Context, tenant *TenantToCreate) (*Tenant, error)

CreateTenant creates a new tenant with the given options.

func (*TenantManager) DeleteTenant

func (tm *TenantManager) DeleteTenant(ctx context.Context, tenantID string) error

DeleteTenant deletes the tenant with the given ID.

func (*TenantManager) Tenant

func (tm *TenantManager) Tenant(ctx context.Context, tenantID string) (*Tenant, error)

Tenant returns the tenant with the given ID.

func (*TenantManager) Tenants

func (tm *TenantManager) Tenants(ctx context.Context, nextPageToken string) *TenantIterator

Tenants returns an iterator over tenants in the project.

If nextPageToken is empty, the iterator will start at the beginning. Otherwise, iterator starts after the token.

func (*TenantManager) UpdateTenant

func (tm *TenantManager) UpdateTenant(ctx context.Context, tenantID string, tenant *TenantToUpdate) (*Tenant, error)

UpdateTenant updates an existing tenant with the given options.

type TenantToCreate

type TenantToCreate struct {
	// contains filtered or unexported fields
}

TenantToCreate represents the options used to create a new tenant.

func (*TenantToCreate) AllowPasswordSignUp

func (t *TenantToCreate) AllowPasswordSignUp(allow bool) *TenantToCreate

AllowPasswordSignUp enables or disables email sign-in provider.

func (*TenantToCreate) DisplayName

func (t *TenantToCreate) DisplayName(name string) *TenantToCreate

DisplayName sets the display name of the new tenant.

func (*TenantToCreate) EnableEmailLinkSignIn

func (t *TenantToCreate) EnableEmailLinkSignIn(enable bool) *TenantToCreate

EnableEmailLinkSignIn enables or disables email link sign-in.

Disabling this makes the password required for email sign-in.

type TenantToUpdate

type TenantToUpdate struct {
	// contains filtered or unexported fields
}

TenantToUpdate represents the options used to update an existing tenant.

func (*TenantToUpdate) AllowPasswordSignUp

func (t *TenantToUpdate) AllowPasswordSignUp(allow bool) *TenantToUpdate

AllowPasswordSignUp enables or disables email sign-in provider.

func (*TenantToUpdate) DisplayName

func (t *TenantToUpdate) DisplayName(name string) *TenantToUpdate

DisplayName sets the display name of the new tenant.

func (*TenantToUpdate) EnableEmailLinkSignIn

func (t *TenantToUpdate) EnableEmailLinkSignIn(enable bool) *TenantToUpdate

EnableEmailLinkSignIn enables or disables email link sign-in.

Disabling this makes the password required for email sign-in.

type Token

type Token struct {
	AuthTime int64                  `json:"auth_time"`
	Issuer   string                 `json:"iss"`
	Audience string                 `json:"aud"`
	Expires  int64                  `json:"exp"`
	IssuedAt int64                  `json:"iat"`
	Subject  string                 `json:"sub,omitempty"`
	UID      string                 `json:"uid,omitempty"`
	Firebase FirebaseInfo           `json:"firebase"`
	Claims   map[string]interface{} `json:"-"`
}

Token represents a decoded Firebase ID token.

Token provides typed accessors to the common JWT fields such as Audience (aud) and Expiry (exp). Additionally it provides a UID field, which indicates the user ID of the account to which this token belongs. Any additional JWT claims can be accessed via the Claims map of Token.

type UserImportHash

type UserImportHash interface {
	Config() (internal.HashConfig, error)
}

UserImportHash represents a hash algorithm and the associated configuration that can be used to hash user passwords.

A UserImportHash must be specified in the form of a UserImportOption when importing users with passwords. See ImportUsers() and WithHash() functions.

type UserImportOption

type UserImportOption interface {
	// contains filtered or unexported methods
}

UserImportOption is an option for the ImportUsers() function.

func WithHash

func WithHash(hash UserImportHash) UserImportOption

WithHash returns a UserImportOption that specifies a hash configuration.

type UserImportResult

type UserImportResult struct {
	SuccessCount int
	FailureCount int
	Errors       []*ErrorInfo
}

UserImportResult represents the result of an ImportUsers() call.

type UserInfo

type UserInfo struct {
	DisplayName string `json:"displayName,omitempty"`
	Email       string `json:"email,omitempty"`
	PhoneNumber string `json:"phoneNumber,omitempty"`
	PhotoURL    string `json:"photoUrl,omitempty"`
	// In the ProviderUserInfo[] ProviderID can be a short domain name (e.g. google.com),
	// or the identity of an OpenID identity provider.
	// In UserRecord.UserInfo it will return the constant string "firebase".
	ProviderID string `json:"providerId,omitempty"`
	UID        string `json:"rawId,omitempty"`
}

UserInfo is a collection of standard profile information for a user.

type UserIterator

type UserIterator struct {
	// contains filtered or unexported fields
}

UserIterator is an iterator over Users.

Also see: https://github.com/GoogleCloudPlatform/google-cloud-go/wiki/Iterator-Guidelines

func (*UserIterator) Next

func (it *UserIterator) Next() (*ExportedUserRecord, error)

Next returns the next result. Its second return value is iterator.Done if there are no more results. Once Next returns iterator.Done, all subsequent calls will return iterator.Done.

func (*UserIterator) PageInfo

func (it *UserIterator) PageInfo() *iterator.PageInfo

PageInfo supports pagination. See the google.golang.org/api/iterator package for details. Page size can be determined by the NewPager(...) function described there.

type UserMetadata

type UserMetadata struct {
	CreationTimestamp  int64
	LastLogInTimestamp int64
}

UserMetadata contains additional metadata associated with a user account. Timestamps are in milliseconds since epoch.

type UserProvider

type UserProvider struct {
	UID         string `json:"rawId"`
	ProviderID  string `json:"providerId"`
	Email       string `json:"email"`
	DisplayName string `json:"displayName"`
	PhotoURL    string `json:"photoUrl"`
}

UserProvider represents a user identity provider.

One or more user providers can be specified for each user when importing in bulk. See UserToImport type.

type UserRecord

type UserRecord struct {
	*UserInfo
	CustomClaims           map[string]interface{}
	Disabled               bool
	EmailVerified          bool
	ProviderUserInfo       []*UserInfo
	TokensValidAfterMillis int64 // milliseconds since epoch.
	UserMetadata           *UserMetadata
	TenantID               string
}

UserRecord contains metadata associated with a Firebase user account.

type UserToCreate

type UserToCreate struct {
	// contains filtered or unexported fields
}

UserToCreate is the parameter struct for the CreateUser function.

func (*UserToCreate) Disabled

func (u *UserToCreate) Disabled(disabled bool) *UserToCreate

Disabled setter.

func (*UserToCreate) DisplayName

func (u *UserToCreate) DisplayName(name string) *UserToCreate

DisplayName setter.

func (*UserToCreate) Email

func (u *UserToCreate) Email(email string) *UserToCreate

Email setter.

func (*UserToCreate) EmailVerified

func (u *UserToCreate) EmailVerified(verified bool) *UserToCreate

EmailVerified setter.

func (*UserToCreate) Password

func (u *UserToCreate) Password(pw string) *UserToCreate

Password setter.

func (*UserToCreate) PhoneNumber

func (u *UserToCreate) PhoneNumber(phone string) *UserToCreate

PhoneNumber setter.

func (*UserToCreate) PhotoURL

func (u *UserToCreate) PhotoURL(url string) *UserToCreate

PhotoURL setter.

func (*UserToCreate) UID

func (u *UserToCreate) UID(uid string) *UserToCreate

UID setter.

type UserToImport

type UserToImport struct {
	// contains filtered or unexported fields
}

UserToImport represents a user account that can be bulk imported into Firebase Auth.

func (*UserToImport) CustomClaims

func (u *UserToImport) CustomClaims(claims map[string]interface{}) *UserToImport

CustomClaims setter.

func (*UserToImport) Disabled

func (u *UserToImport) Disabled(disabled bool) *UserToImport

Disabled setter.

func (*UserToImport) DisplayName

func (u *UserToImport) DisplayName(displayName string) *UserToImport

DisplayName setter.

func (*UserToImport) Email

func (u *UserToImport) Email(email string) *UserToImport

Email setter.

func (*UserToImport) EmailVerified

func (u *UserToImport) EmailVerified(emailVerified bool) *UserToImport

EmailVerified setter.

func (*UserToImport) Metadata

func (u *UserToImport) Metadata(metadata *UserMetadata) *UserToImport

Metadata setter.

func (*UserToImport) PasswordHash

func (u *UserToImport) PasswordHash(password []byte) *UserToImport

PasswordHash setter. When set, a UserImportHash must be specified as an option to call ImportUsers().

func (*UserToImport) PasswordSalt

func (u *UserToImport) PasswordSalt(salt []byte) *UserToImport

PasswordSalt setter.

func (*UserToImport) PhoneNumber

func (u *UserToImport) PhoneNumber(phoneNumber string) *UserToImport

PhoneNumber setter.

func (*UserToImport) PhotoURL

func (u *UserToImport) PhotoURL(url string) *UserToImport

PhotoURL setter.

func (*UserToImport) ProviderData

func (u *UserToImport) ProviderData(providers []*UserProvider) *UserToImport

ProviderData setter.

func (*UserToImport) UID

func (u *UserToImport) UID(uid string) *UserToImport

UID setter. This field is required.

type UserToUpdate

type UserToUpdate struct {
	// contains filtered or unexported fields
}

UserToUpdate is the parameter struct for the UpdateUser function.

func (*UserToUpdate) CustomClaims

func (u *UserToUpdate) CustomClaims(claims map[string]interface{}) *UserToUpdate

CustomClaims setter.

func (*UserToUpdate) Disabled

func (u *UserToUpdate) Disabled(disabled bool) *UserToUpdate

Disabled setter.

func (*UserToUpdate) DisplayName

func (u *UserToUpdate) DisplayName(name string) *UserToUpdate

DisplayName setter. Set to empty string to remove the display name from the user account.

func (*UserToUpdate) Email

func (u *UserToUpdate) Email(email string) *UserToUpdate

Email setter.

func (*UserToUpdate) EmailVerified

func (u *UserToUpdate) EmailVerified(verified bool) *UserToUpdate

EmailVerified setter.

func (*UserToUpdate) Password

func (u *UserToUpdate) Password(pw string) *UserToUpdate

Password setter.

func (*UserToUpdate) PhoneNumber

func (u *UserToUpdate) PhoneNumber(phone string) *UserToUpdate

PhoneNumber setter. Set to empty string to remove the phone number and the corresponding auth provider from the user account.

func (*UserToUpdate) PhotoURL

func (u *UserToUpdate) PhotoURL(url string) *UserToUpdate

PhotoURL setter. Set to empty string to remove the photo URL from the user account.

Directories

Path Synopsis
Package hash contains a collection of password hash algorithms that can be used with the auth.ImportUsers() API.
Package hash contains a collection of password hash algorithms that can be used with the auth.ImportUsers() API.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL