Options
All
  • Public
  • Public/Protected
  • All
Menu

Interface TenantAwareAuth

Tenant-aware Auth interface used for managing users, configuring SAML/OIDC providers, generating email links for password reset, email verification, etc for specific tenants.

Multi-tenancy support requires Google Cloud's Identity Platform (GCIP). To learn more about GCIP, including pricing and features, see the GCIP documentation

Each tenant contains its own identity providers, settings and sets of users. Using TenantAwareAuth, users for a specific tenant and corresponding OIDC/SAML configurations can also be managed, ID tokens for users signed in to a specific tenant can be verified, and email action links can also be generated for users belonging to the tenant.

TenantAwareAuth instances for a specific tenantId can be instantiated by calling auth.tenantManager().authForTenant(tenantId).

Hierarchy

Index

Properties

Methods

Properties

tenantId

tenantId: string

The tenant identifier corresponding to this TenantAwareAuth instance. All calls to the user management APIs, OIDC/SAML provider management APIs, email link generation APIs, etc will only be applied within the scope of this tenant.

Methods

createCustomToken

  • createCustomToken(uid: string, developerClaims?: Object): Promise<string>

  • Creates a new Firebase custom token (JWT) that can be sent back to a client device to use to sign in with the client SDKs' signInWithCustomToken() methods.

    See Create Custom Tokens for code samples and detailed documentation.

    Parameters

    • uid: string

      The uid to use as the custom token's subject.

    • Optional developerClaims: Object

      Optional additional claims to include in the custom token's payload.

    Returns Promise<string>

    A promise fulfilled with a custom token for the provided uid and payload.

createProviderConfig

  • Returns a promise that resolves with the newly created AuthProviderConfig when the new provider configuration is created.

    SAML and OIDC provider support requires Google Cloud's Identity Platform (GCIP). To learn more about GCIP, including pricing and features, see the GCIP documentation.

    Parameters

    Returns Promise<AuthProviderConfig>

    A promise that resolves with the created provider configuration.

createSessionCookie

  • Creates a new Firebase session cookie with the specified options. The created JWT string can be set as a server-side session cookie with a custom cookie policy, and be used for session management. The session cookie JWT will have the same payload claims as the provided ID token.

    See Manage Session Cookies for code samples and detailed documentation.

    Parameters

    • idToken: string

      The Firebase ID token to exchange for a session cookie.

    • sessionCookieOptions: SessionCookieOptions

      The session cookie options which includes custom session duration.

    Returns Promise<string>

    A promise that resolves on success with the created session cookie.

createUser

  • Creates a new user.

    See Create a user for code samples and detailed documentation.

    Parameters

    • properties: CreateRequest

      The properties to set on the new user record to be created.

    Returns Promise<UserRecord>

    A promise fulfilled with the user data corresponding to the newly created user.

deleteProviderConfig

  • deleteProviderConfig(providerId: string): Promise<void>

  • Deletes the provider configuration corresponding to the provider ID passed. If the specified ID does not exist, an auth/configuration-not-found error is thrown.

    SAML and OIDC provider support requires Google Cloud's Identity Platform (GCIP). To learn more about GCIP, including pricing and features, see the GCIP documentation.

    Parameters

    • providerId: string

      The provider ID corresponding to the provider config to delete.

    Returns Promise<void>

    A promise that resolves on completion.

deleteUser

  • deleteUser(uid: string): Promise<void>

  • Deletes an existing user.

    See Delete a user for code samples and detailed documentation.

    Parameters

    • uid: string

      The uid corresponding to the user to delete.

    Returns Promise<void>

    An empty promise fulfilled once the user has been deleted.

generateEmailVerificationLink

  • generateEmailVerificationLink(email: string, actionCodeSettings?: ActionCodeSettings): Promise<string>

  • Generates the out of band email action link to verify the user's ownership of the specified email. The ActionCodeSettings object provided as an argument to this method defines whether the link is to be handled by a mobile app or browser along with additional state information to be passed in the deep link, etc.

    example
    var actionCodeSettings = {
  url: 'https://www.example.com/cart?email=user@example.com&cartId=123',
  iOS: {
    bundleId: 'com.example.ios'
  },
  android: {
    packageName: 'com.example.android',
    installApp: true,
    minimumVersion: '12'
  },
  handleCodeInApp: true,
  dynamicLinkDomain: 'custom.page.link'
};
admin.auth()
    .generateEmailVerificationLink('user@example.com', actionCodeSettings)
    .then(function(link) {
      // The link was successfully generated.
    })
    .catch(function(error) {
      // Some error occurred, you can inspect the code: error.code
    });

    Parameters

    • email: string

      The email account to verify.

    • Optional actionCodeSettings: ActionCodeSettings

      The action code settings. If specified, the state/continue URL is set as the "continueUrl" parameter in the email verification link. The default email verification landing page will use this to display a link to go back to the app if it is installed. If the actionCodeSettings is not specified, no URL is appended to the action URL. The state URL provided must belong to a domain that is whitelisted by the developer in the console. Otherwise an error is thrown. Mobile app redirects are only applicable if the developer configures and accepts the Firebase Dynamic Links terms of service. The Android package name and iOS bundle ID are respected only if they are configured in the same Firebase Auth project.

    Returns Promise<string>

    A promise that resolves with the generated link.

generatePasswordResetLink

  • generatePasswordResetLink(email: string, actionCodeSettings?: ActionCodeSettings): Promise<string>

  • Generates the out of band email action link to reset a user's password. The link is generated for the user with the specified email address. The optional ActionCodeSettings object defines whether the link is to be handled by a mobile app or browser and the additional state information to be passed in the deep link, etc.

    example
    var actionCodeSettings = {
  url: 'https://www.example.com/?email=user@example.com',
  iOS: {
    bundleId: 'com.example.ios'
  },
  android: {
    packageName: 'com.example.android',
    installApp: true,
    minimumVersion: '12'
  },
  handleCodeInApp: true,
  dynamicLinkDomain: 'custom.page.link'
};
admin.auth()
    .generatePasswordResetLink('user@example.com', actionCodeSettings)
    .then(function(link) {
      // The link was successfully generated.
    })
    .catch(function(error) {
      // Some error occurred, you can inspect the code: error.code
    });

    Parameters

    • email: string

      The email address of the user whose password is to be reset.

    • Optional actionCodeSettings: ActionCodeSettings

      The action code settings. If specified, the state/continue URL is set as the "continueUrl" parameter in the password reset link. The default password reset landing page will use this to display a link to go back to the app if it is installed. If the actionCodeSettings is not specified, no URL is appended to the action URL. The state URL provided must belong to a domain that is whitelisted by the developer in the console. Otherwise an error is thrown. Mobile app redirects are only applicable if the developer configures and accepts the Firebase Dynamic Links terms of service. The Android package name and iOS bundle ID are respected only if they are configured in the same Firebase Auth project.

    Returns Promise<string>

    A promise that resolves with the generated link.

generateSignInWithEmailLink

  • generateSignInWithEmailLink(email: string, actionCodeSettings: ActionCodeSettings): Promise<string>

  • Generates the out of band email action link to sign in or sign up the owner of the specified email. The ActionCodeSettings object provided as an argument to this method defines whether the link is to be handled by a mobile app or browser along with additional state information to be passed in the deep link, etc.

    example
    var actionCodeSettings = {
  // The URL to redirect to for sign-in completion. This is also the deep
  // link for mobile redirects. The domain (www.example.com) for this URL
  // must be whitelisted in the Firebase Console.
  url: 'https://www.example.com/finishSignUp?cartId=1234',
  iOS: {
    bundleId: 'com.example.ios'
  },
  android: {
    packageName: 'com.example.android',
    installApp: true,
    minimumVersion: '12'
  },
  // This must be true.
  handleCodeInApp: true,
  dynamicLinkDomain: 'custom.page.link'
};
admin.auth()
    .generateSignInWithEmailLink('user@example.com', actionCodeSettings)
    .then(function(link) {
      // The link was successfully generated.
    })
    .catch(function(error) {
      // Some error occurred, you can inspect the code: error.code
    });

    Parameters

    • email: string

      The email account to sign in with.

    • actionCodeSettings: ActionCodeSettings

      The action code settings. These settings provide Firebase with instructions on how to construct the email link. This includes the sign in completion URL or the deep link for redirects and the mobile apps to use when the sign-in link is opened on an Android or iOS device. Mobile app redirects are only applicable if the developer configures and accepts the Firebase Dynamic Links terms of service. The Android package name and iOS bundle ID are respected only if they are configured in the same Firebase Auth project.

    Returns Promise<string>

    A promise that resolves with the generated link.

getProviderConfig

  • Looks up an Auth provider configuration by the provided ID. Returns a promise that resolves with the provider configuration corresponding to the provider ID specified. If the specified ID does not exist, an auth/configuration-not-found error is thrown.

    SAML and OIDC provider support requires Google Cloud's Identity Platform (GCIP). To learn more about GCIP, including pricing and features, see the GCIP documentation.

    Parameters

    • providerId: string

      The provider ID corresponding to the provider config to return.

    Returns Promise<AuthProviderConfig>

    A promise that resolves with the configuration corresponding to the provided ID.

getUser

  • Gets the user data for the user corresponding to a given uid.

    See Retrieve user data for code samples and detailed documentation.

    Parameters

    • uid: string

      The uid corresponding to the user whose data to fetch.

    Returns Promise<UserRecord>

    A promise fulfilled with the user data corresponding to the provided uid.

getUserByEmail

  • getUserByEmail(email: string): Promise<UserRecord>

  • Gets the user data for the user corresponding to a given email.

    See Retrieve user data for code samples and detailed documentation.

    Parameters

    • email: string

      The email corresponding to the user whose data to fetch.

    Returns Promise<UserRecord>

    A promise fulfilled with the user data corresponding to the provided email.

getUserByPhoneNumber

  • getUserByPhoneNumber(phoneNumber: string): Promise<UserRecord>

  • Gets the user data for the user corresponding to a given phone number. The phone number has to conform to the E.164 specification.

    See Retrieve user data for code samples and detailed documentation.

    Parameters

    • phoneNumber: string

      The phone number corresponding to the user whose data to fetch.

    Returns Promise<UserRecord>

    A promise fulfilled with the user data corresponding to the provided phone number.

importUsers

  • Imports the provided list of users into Firebase Auth. A maximum of 1000 users are allowed to be imported one at a time. When importing users with passwords, UserImportOptions are required to be specified. This operation is optimized for bulk imports and will ignore checks on uid, email and other identifier uniqueness which could result in duplications.

    Parameters

    • users: UserImportRecord[]

      The list of user records to import to Firebase Auth.

    • Optional options: UserImportOptions

      The user import options, required when the users provided include password credentials.

    Returns Promise<UserImportResult>

    A promise that resolves when the operation completes with the result of the import. This includes the number of successful imports, the number of failed imports and their corresponding errors.

listProviderConfigs

  • Returns the list of existing provider configurations matching the filter provided. At most, 100 provider configs can be listed at a time.

    SAML and OIDC provider support requires Google Cloud's Identity Platform (GCIP). To learn more about GCIP, including pricing and features, see the GCIP documentation.

    Parameters

    Returns Promise<ListProviderConfigResults>

    A promise that resolves with the list of provider configs meeting the filter requirements.

listUsers

  • listUsers(maxResults?: number, pageToken?: string): Promise<ListUsersResult>

  • Retrieves a list of users (single batch only) with a size of maxResults starting from the offset as specified by pageToken. This is used to retrieve all the users of a specified project in batches.

    See List all users for code samples and detailed documentation.

    Parameters

    • Optional maxResults: number

      The page size, 1000 if undefined. This is also the maximum allowed limit.

    • Optional pageToken: string

      The next page token. If not specified, returns users starting without any offset.

    Returns Promise<ListUsersResult>

    A promise that resolves with the current batch of downloaded users and the next page token.

revokeRefreshTokens

  • revokeRefreshTokens(uid: string): Promise<void>

  • Revokes all refresh tokens for an existing user.

    This API will update the user's {@link admin.auth.UserRecord#tokensValidAfterTime tokensValidAfterTime} to the current UTC. It is important that the server on which this is called has its clock set correctly and synchronized.

    While this will revoke all sessions for a specified user and disable any new ID tokens for existing sessions from getting minted, existing ID tokens may remain active until their natural expiration (one hour). To verify that ID tokens are revoked, use {@link admin.auth.Auth#verifyIdToken verifyIdToken(idToken, true)} where checkRevoked is set to true.

    Parameters

    • uid: string

      The uid corresponding to the user whose refresh tokens are to be revoked.

    Returns Promise<void>

    An empty promise fulfilled once the user's refresh tokens have been revoked.

setCustomUserClaims

  • setCustomUserClaims(uid: string, customUserClaims: Object | null): Promise<void>

  • Sets additional developer claims on an existing user identified by the provided uid, typically used to define user roles and levels of access. These claims should propagate to all devices where the user is already signed in (after token expiration or when token refresh is forced) and the next time the user signs in. If a reserved OIDC claim name is used (sub, iat, iss, etc), an error is thrown. They are set on the authenticated user's ID token JWT.

    See Defining user roles and access levels for code samples and detailed documentation.

    Parameters

    • uid: string

      The uid of the user to edit.

    • customUserClaims: Object | null

      The developer claims to set. If null is passed, existing custom claims are deleted. Passing a custom claims payload larger than 1000 bytes will throw an error. Custom claims are added to the user's ID token which is transmitted on every authenticated request. For profile non-access related user attributes, use database or other separate storage systems.

    Returns Promise<void>

    A promise that resolves when the operation completes successfully.

updateProviderConfig

  • Returns a promise that resolves with the updated AuthProviderConfig corresponding to the provider ID specified. If the specified ID does not exist, an auth/configuration-not-found error is thrown.

    SAML and OIDC provider support requires Google Cloud's Identity Platform (GCIP). To learn more about GCIP, including pricing and features, see the GCIP documentation.

    Parameters

    • providerId: string

      The provider ID corresponding to the provider config to update.

    • updatedConfig: UpdateAuthProviderRequest

      The updated configuration.

    Returns Promise<AuthProviderConfig>

    A promise that resolves with the updated provider configuration.

updateUser

  • Updates an existing user.

    See Update a user for code samples and detailed documentation.

    Parameters

    • uid: string

      The uid corresponding to the user to delete.

    • properties: UpdateRequest

      The properties to update on the provided user.

    Returns Promise<UserRecord>

    A promise fulfilled with the updated user data.

verifyIdToken

  • verifyIdToken(idToken: string, checkRevoked?: boolean): Promise<DecodedIdToken>

  • Verifies a Firebase ID token (JWT). If the token is valid, the promise is fulfilled with the token's decoded claims; otherwise, the promise is rejected. An optional flag can be passed to additionally check whether the ID token was revoked.

    See Verify ID Tokens for code samples and detailed documentation.

    Parameters

    • idToken: string

      The ID token to verify.

    • Optional checkRevoked: boolean

      Whether to check if the ID token was revoked. This requires an extra request to the Firebase Auth backend to check the tokensValidAfterTime time for the corresponding user. When not specified, this additional check is not applied.

    Returns Promise<DecodedIdToken>

    A promise fulfilled with the token's decoded claims if the ID token is valid; otherwise, a rejected promise.

verifySessionCookie

  • verifySessionCookie(sessionCookie: string, checkForRevocation?: boolean): Promise<DecodedIdToken>

  • Verifies a Firebase session cookie. Returns a Promise with the cookie claims. Rejects the promise if the cookie could not be verified. If checkRevoked is set to true, verifies if the session corresponding to the session cookie was revoked. If the corresponding user's session was revoked, an auth/session-cookie-revoked error is thrown. If not specified the check is not performed.

    See Verify Session Cookies for code samples and detailed documentation

    Parameters

    • sessionCookie: string

      The session cookie to verify.

    • Optional checkForRevocation: boolean

      Whether to check if the session cookie was revoked. This requires an extra request to the Firebase Auth backend to check the tokensValidAfterTime time for the corresponding user. When not specified, this additional check is not performed.

    Returns Promise<DecodedIdToken>

    A promise fulfilled with the session cookie's decoded claims if the session cookie is valid; otherwise, a rejected promise.

Generated using TypeDoc