TenantAwareAuth class
Tenant-awareAuth interface used for managing users, configuring SAML/OIDC providers, generating email links for password reset, email verification, etc for specific tenants.
Multi-tenancy support requires Google Cloud's Identity Platform (GCIP). To learn more about GCIP, including pricing and features, see theGCIP documentation.
Each tenant contains its own identity providers, settings and sets of users. UsingTenantAwareAuth, users for a specific tenant and corresponding OIDC/SAML configurations can also be managed, ID tokens for users signed in to a specific tenant can be verified, and email action links can also be generated for users belonging to the tenant.
TenantAwareAuth instances for a specifictenantId can be instantiated by callingTenantManager.authForTenant().
Signature:
exportdeclareclassTenantAwareAuthextendsBaseAuthExtends:BaseAuth
Properties
| Property | Modifiers | Type | Description |
|---|---|---|---|
| tenantId | string | The tenant identifier corresponding to thisTenantAwareAuth instance. All calls to the user management APIs, OIDC/SAML provider management APIs, email link generation APIs, etc will only be applied within the scope of this tenant. |
Methods
| Method | Modifiers | Description |
|---|---|---|
| createSessionCookie(idToken, sessionCookieOptions) | Creates a new Firebase session cookie with the specified options. The created JWT string can be set as a server-side session cookie with a custom cookie policy, and be used for session management. The session cookie JWT will have the same payload claims as the provided ID token.SeeManage Session Cookies for code samples and detailed documentation. | |
| verifyIdToken(idToken, checkRevoked) | Verifies a Firebase ID token (JWT). If the token is valid, the promise is fulfilled with the token's decoded claims; otherwise, the promise is rejected.IfcheckRevoked is set to true, first verifies whether the corresponding user is disabled. If yes, anauth/user-disabled error is thrown. If no, verifies if the session corresponding to the ID token was revoked. If the corresponding user's session was invalidated, anauth/id-token-revoked error is thrown. If not specified the check is not applied.SeeVerify ID Tokens for code samples and detailed documentation. | |
| verifySessionCookie(sessionCookie, checkRevoked) | Verifies a Firebase session cookie. Returns a Promise with the cookie claims. Rejects the promise if the cookie could not be verified.IfcheckRevoked is set to true, first verifies whether the corresponding user is disabled: If yes, anauth/user-disabled error is thrown. If no, verifies if the session corresponding to the session cookie was revoked. If the corresponding user's session was invalidated, anauth/session-cookie-revoked error is thrown. If not specified the check is not performed.SeeVerify Session Cookies for code samples and detailed documentation |
TenantAwareAuth.tenantId
The tenant identifier corresponding to thisTenantAwareAuth instance. All calls to the user management APIs, OIDC/SAML provider management APIs, email link generation APIs, etc will only be applied within the scope of this tenant.
Signature:
readonlytenantId:string;TenantAwareAuth.createSessionCookie()
Creates a new Firebase session cookie with the specified options. The created JWT string can be set as a server-side session cookie with a custom cookie policy, and be used for session management. The session cookie JWT will have the same payload claims as the provided ID token.
SeeManage Session Cookies for code samples and detailed documentation.
Signature:
createSessionCookie(idToken:string,sessionCookieOptions:SessionCookieOptions):Promise<string>;Parameters
| Parameter | Type | Description |
|---|---|---|
| idToken | string | The Firebase ID token to exchange for a session cookie. |
| sessionCookieOptions | SessionCookieOptions | The session cookie options which includes custom session duration. |
Returns:
Promise<string>
A promise that resolves on success with the created session cookie.
TenantAwareAuth.verifyIdToken()
Verifies a Firebase ID token (JWT). If the token is valid, the promise is fulfilled with the token's decoded claims; otherwise, the promise is rejected.
IfcheckRevoked is set to true, first verifies whether the corresponding user is disabled. If yes, anauth/user-disabled error is thrown. If no, verifies if the session corresponding to the ID token was revoked. If the corresponding user's session was invalidated, anauth/id-token-revoked error is thrown. If not specified the check is not applied.
SeeVerify ID Tokens for code samples and detailed documentation.
Signature:
verifyIdToken(idToken:string,checkRevoked?:boolean):Promise<DecodedIdToken>;Parameters
| Parameter | Type | Description |
|---|---|---|
| idToken | string | The ID token to verify. |
| checkRevoked | boolean | Whether to check if the ID token was revoked. This requires an extra request to the Firebase Auth backend to check thetokensValidAfterTime time for the corresponding user. When not specified, this additional check is not applied. |
Returns:
Promise<DecodedIdToken>
A promise fulfilled with the token's decoded claims if the ID token is valid; otherwise, a rejected promise.
TenantAwareAuth.verifySessionCookie()
Verifies a Firebase session cookie. Returns a Promise with the cookie claims. Rejects the promise if the cookie could not be verified.
IfcheckRevoked is set to true, first verifies whether the corresponding user is disabled: If yes, anauth/user-disabled error is thrown. If no, verifies if the session corresponding to the session cookie was revoked. If the corresponding user's session was invalidated, anauth/session-cookie-revoked error is thrown. If not specified the check is not performed.
SeeVerify Session Cookies for code samples and detailed documentation
Signature:
verifySessionCookie(sessionCookie:string,checkRevoked?:boolean):Promise<DecodedIdToken>;Parameters
| Parameter | Type | Description |
|---|---|---|
| sessionCookie | string | The session cookie to verify. |
| checkRevoked | boolean |
Returns:
Promise<DecodedIdToken>
A promise fulfilled with the session cookie's decoded claims if the session cookie is valid; otherwise, a rejected promise.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2022-07-29 UTC.