Bases:UnknownError

Failed to fetch some public key certificates required to verify a token.

Bases:NotFoundError

No auth provider found for the specified identifier.

default_message='Noauthproviderfoundforthegivenidentifier'

Bases:AlreadyExistsError

The user with the provided email already exists.

default_message='Theuserwiththeprovidedemailalreadyexists'

Bases:NotFoundError

No user record found for the specified email.

default_message='Nouserrecordfoundforthegivenemail'

Bases:InvalidIdTokenError

The provided ID token is expired.

Bases:InvalidSessionCookieError

The provided session cookie is expired.

Bases:PermissionDeniedError

The credential used to initialize the SDK lacks required permissions.

default_message='ThecredentialusedtoinitializetheSDKhasinsufficientpermissionstoperformtherequestedoperation.Seehttps://firebase.google.com/docs/admin/setupfordetailsonhowtoinitializetheAdminSDKwithappropriatepermissions'

Bases:InvalidArgumentError

Dynamic link domain in ActionCodeSettings is not authorized.

default_message='DynamiclinkdomainspecifiedinActionCodeSettingsisnotauthorized'

Bases:InvalidArgumentError

The provided hosting link domain is not configured in Firebase Hostingor is not owned by the current project.

default_message='TheprovidedhostinglinkdomainisnotconfiguredinFirebaseHostingorisnotownedbythecurrentproject'

Bases:InvalidArgumentError

The provided ID token is not a valid Firebase ID token.

default_message='TheprovidedIDtokenisinvalid'

Bases:InvalidArgumentError

The provided string is not a valid Firebase session cookie.

Bases:AlreadyExistsError

The user with the provided phone number already exists.

default_message='Theuserwiththeprovidedphonenumberalreadyexists'

Bases:ResourceExhaustedError

Reset password emails exceeded their limits.

Bases:InvalidIdTokenError

The provided ID token has been revoked.

Bases:InvalidSessionCookieError

The provided session cookie has been revoked.

Bases:UnknownError

Unexpected error while signing a Firebase custom token.

Bases:ResourceExhaustedError

Rate limited because of too many attempts.

Bases:AlreadyExistsError

The user with the provided uid already exists.

default_message='Theuserwiththeprovideduidalreadyexists'

Bases:UnknownError

Backend service responded with an unexpected or malformed response.

Bases:InvalidArgumentError

An operation failed due to a user record being disabled.

default_message='Theuserrecordisdisabled'

Bases:NotFoundError

No user record found for the specified identifier.

default_message='Nouserrecordfoundforthegivenidentifier'

Bases:object

Contains required continue/state URL with optional Android and iOS settings.Used when invoking the email action link generation APIs.

Bases:object

Firebase Authentication client scoped to a specific tenant.

create_custom_token(uid,developer_claims=None)

Builds and signs a Firebase custom auth token.

Parameters:

• uid – ID of the user for whom the token is created.

• developer_claims – A dictionary of claims to be included in the token(optional).

Returns:

A token minted from the input parameters.

Return type:

bytes

Raises:

• ValueError – If input parameters are invalid.

• TokenSignError – If an error occurs while signing the token using the remote IAM service.

create_oidc_provider_config(provider_id,client_id,issuer,display_name=None,enabled=None,client_secret=None,id_token_response_type=None,code_response_type=None)

Creates a new OIDC provider config from the given parameters.

OIDC provider support requires Google Cloud’s Identity Platform (GCIP). To learn more aboutGCIP, including pricing and features, seehttps://cloud.google.com/identity-platform.

Parameters:

• provider_id – Provider ID string. Must have the prefixoidc..

• client_id – Client ID of the new config.

• issuer – Issuer of the new config. Must be a valid URL.

• display_name – The user-friendly display name to the current configuration (optional).This name is also used as the provider label in the Cloud Console.

• enabled – A boolean indicating whether the provider configuration is enabled or disabled(optional). A user cannot sign in using a disabled provider.

• client_secret – A string which sets the client secret for the new provider.This is required for the code flow.

• code_response_type – A boolean which sets whether to enable the code response flow forthe new provider. By default, this is not enabled if no response type isspecified. A client secret must be set for this response type.Having both the code and ID token response flows is currently not supported.

• id_token_response_type – A boolean which sets whether to enable the ID token responseflow for the new provider. By default, this is enabled if no response type isspecified.Having both the code and ID token response flows is currently not supported.

Returns:

The newly created OIDC provider config instance.

Return type:

OIDCProviderConfig

Raises:

• ValueError – If any of the specified input parameters are invalid.

• FirebaseError – If an error occurs while creating the new OIDC provider config.

create_saml_provider_config(provider_id,idp_entity_id,sso_url,x509_certificates,rp_entity_id,callback_url,display_name=None,enabled=None)

Creates a new SAML provider config from the given parameters.

SAML provider support requires Google Cloud’s Identity Platform (GCIP). To learn more aboutGCIP, including pricing and features, seehttps://cloud.google.com/identity-platform.

Parameters:

• provider_id – Provider ID string. Must have the prefixsaml..

• idp_entity_id – The SAML IdP entity identifier.

• sso_url – The SAML IdP SSO URL. Must be a valid URL.

• x509_certificates – The list of SAML IdP X.509 certificates issued by CA for thisprovider. Multiple certificates are accepted to prevent outages during IdP keyrotation (for example ADFS rotates every 10 days). When the Auth server receives aSAML response, it will match the SAML response with the certificate on record.Otherwise the response is rejected. Developers are expected to manage thecertificate updates as keys are rotated.

• rp_entity_id – The SAML relying party (service provider) entity ID. This is defined bythe developer but needs to be provided to the SAML IdP.

• callback_url – Callback URL string. This is fixed and must always be the same as theOAuth redirect URL provisioned by Firebase Auth, unless a custom authDomain isused.

• display_name – The user-friendly display name to the current configuration (optional).This name is also used as the provider label in the Cloud Console.

• enabled – A boolean indicating whether the provider configuration is enabled or disabled(optional). A user cannot sign in using a disabled provider.

Returns:

The newly created SAML provider config instance.

Return type:

SAMLProviderConfig

Raises:

• ValueError – If any of the specified input parameters are invalid.

• FirebaseError – If an error occurs while creating the new SAML provider config.

create_user(**kwargs)

Creates a new user account with the specified properties.

Parameters:

**kwargs – A series of keyword arguments (optional).

Keyword Arguments:

• uid – User ID to assign to the newly created user (optional).

• display_name – The user’s display name (optional).

• email – The user’s primary email (optional).

• email_verified – A boolean indicating whether or not the user’s primary email isverified (optional).

• phone_number – The user’s primary phone number (optional).

• photo_url – The user’s photo URL (optional).

• password – The user’s raw, unhashed password. (optional).

• disabled – A boolean indicating whether or not the user account is disabled (optional).

Returns:

A UserRecord instance for the newly created user.

Return type:

UserRecord

Raises:

• ValueError – If the specified user properties are invalid.

• FirebaseError – If an error occurs while creating the user account.

delete_oidc_provider_config(provider_id)

Deletes theOIDCProviderConfig with the given ID.

Parameters:

provider_id – Provider ID string.

Raises:

• ValueError – If the provider ID is invalid, empty or does not haveoidc. prefix.

• ConfigurationNotFoundError – If no OIDC provider is available with the given identifier.

• FirebaseError – If an error occurs while deleting the OIDC provider.

delete_saml_provider_config(provider_id)

Deletes theSAMLProviderConfig with the given ID.

Parameters:

provider_id – Provider ID string.

Raises:

• ValueError – If the provider ID is invalid, empty or does not havesaml. prefix.

• ConfigurationNotFoundError – If no SAML provider is available with the given identifier.

• FirebaseError – If an error occurs while deleting the SAML provider.

delete_user(uid)

Deletes the user identified by the specified user ID.

Parameters:

uid – A user ID string.

Raises:

• ValueError – If the user ID is None, empty or malformed.

• FirebaseError – If an error occurs while deleting the user account.

delete_users(uids)

Deletes the users specified by the given identifiers.

Deleting a non-existing user does not generate an error (the method isidempotent.) Non-existing users are considered to be successfullydeleted and are therefore included in theDeleteUserResult.success_count value.

A maximum of 1000 identifiers may be supplied. If more than 1000identifiers are supplied, this method raises aValueError.

Parameters:

uids – A list of strings indicating the uids of the users to be deleted.Must have <= 1000 entries.

Returns:

The total number of successful/failed deletions, aswell as the array of errors that correspond to the faileddeletions.

Return type:

DeleteUsersResult

Raises:

ValueError – If any of the identifiers are invalid or if more than 1000 identifiers are specified.

generate_email_verification_link(email,action_code_settings=None)

Generates the out-of-band email action link for email verification flows for thespecified email address.

Parameters:

• email – The email of the user to be verified.

• action_code_settings –ActionCodeSettings instance (optional). Defines whetherthe link is to be handled by a mobile app and the additional state information tobe passed in the deep link.

Returns:

The email verification link created by the API

Return type:

link

Raises:

• ValueError – If the provided arguments are invalid

• UserNotFoundError – If no user exists for the specified email address.

• FirebaseError – If an error occurs while generating the link

generate_password_reset_link(email,action_code_settings=None)

Generates the out-of-band email action link for password reset flows for the specifiedemail address.

Parameters:

• email – The email of the user whose password is to be reset.

• action_code_settings –ActionCodeSettings instance (optional). Defines whetherthe link is to be handled by a mobile app and the additional state information tobe passed in the deep link.

Returns:

The password reset link created by the API

Return type:

link

Raises:

• ValueError – If the provided arguments are invalid

• EmailNotFoundError – If no user exists for the specified email address.

• FirebaseError – If an error occurs while generating the link

generate_sign_in_with_email_link(email,action_code_settings)

Generates the out-of-band email action link for email link sign-in flows, using theaction code settings provided.

Parameters:

• email – The email of the user signing in.

• action_code_settings –ActionCodeSettings instance. Defines whetherthe link is to be handled by a mobile app and the additional state information to bepassed in the deep link.

Returns:

The email sign-in link created by the API

Return type:

link

Raises:

• ValueError – If the provided arguments are invalid

• FirebaseError – If an error occurs while generating the link

get_oidc_provider_config(provider_id)

Returns theOIDCProviderConfig with the given ID.

Parameters:

provider_id – Provider ID string.

Returns:

An OIDC provider config instance.

Return type:

SAMLProviderConfig

Raises:

• ValueError – If the provider ID is invalid, empty or does not haveoidc. prefix.

• ConfigurationNotFoundError – If no OIDC provider is available with the given identifier.

• FirebaseError – If an error occurs while retrieving the OIDC provider.

get_saml_provider_config(provider_id)

Returns theSAMLProviderConfig with the given ID.

Parameters:

provider_id – Provider ID string.

Returns:

A SAML provider config instance.

Return type:

SAMLProviderConfig

Raises:

• ValueError – If the provider ID is invalid, empty or does not havesaml. prefix.

• ConfigurationNotFoundError – If no SAML provider is available with the given identifier.

• FirebaseError – If an error occurs while retrieving the SAML provider.

get_user(uid)

Gets the user data corresponding to the specified user ID.

Parameters:

uid – A user ID string.

Returns:

A user record instance.

Return type:

UserRecord

Raises:

• ValueError – If the user ID is None, empty or malformed.

• UserNotFoundError – If the specified user ID does not exist.

• FirebaseError – If an error occurs while retrieving the user.

get_user_by_email(email)

Gets the user data corresponding to the specified user email.

Parameters:

email – A user email address string.

Returns:

A user record instance.

Return type:

UserRecord

Raises:

• ValueError – If the email is None, empty or malformed.

• UserNotFoundError – If no user exists for the specified email address.

• FirebaseError – If an error occurs while retrieving the user.

get_user_by_phone_number(phone_number)

Gets the user data corresponding to the specified phone number.

Parameters:

phone_number – A phone number string.

Returns:

A user record instance.

Return type:

UserRecord

Raises:

• ValueError – If the phone number isNone, empty or malformed.

• UserNotFoundError – If no user exists for the specified phone number.

• FirebaseError – If an error occurs while retrieving the user.

get_users(identifiers)

Gets the user data corresponding to the specified identifiers.

There are no ordering guarantees; in particular, the nth entry in theresult list is not guaranteed to correspond to the nth entry in the inputparameters list.

A maximum of 100 identifiers may be supplied. If more than 100identifiers are supplied, this method raises aValueError.

Parameters:

identifiers (list[Identifier]) – A list ofIdentifier instances usedto indicate which user records should be returned. Must have <= 100entries.

Returns:

AGetUsersResult instance corresponding to thespecified identifiers.

Return type:

GetUsersResult

Raises:

ValueError – If any of the identifiers are invalid or if more than 100 identifiers are specified.

import_users(users,hash_alg=None)

Imports the specified list of users into Firebase Auth.

At most 1000 users can be imported at a time. This operation is optimized for bulk importsand ignores checks on identifier uniqueness, which could result in duplications. Thehash_alg parameter must be specified when importing users with passwords. Refer to theUserImportHash class for supported hash algorithms.

Parameters:

• users – A list ofImportUserRecord instances to import. Length of the list must notexceed 1000.

• hash_alg – AUserImportHash object (optional). Required when importing users withpasswords.

Returns:

An object summarizing the result of the import operation.

Return type:

UserImportResult

Raises:

• ValueError – If the provided arguments are invalid.

• FirebaseError – If an error occurs while importing users.

list_oidc_provider_configs(page_token=None,max_results=100)

Retrieves a page of OIDC provider configs from a Firebase project.

Thepage_token argument governs the starting point of the page. Themax_resultsargument governs the maximum number of configs that may be included in the returnedpage. This function never returnsNone. If there are no OIDC configs in the Firebaseproject, this returns an empty page.

Parameters:

• page_token – A non-empty page token string, which indicates the starting point of thepage (optional). Defaults toNone, which will retrieve the first page of users.

• max_results – A positive integer indicating the maximum number of users to include inthe returned page (optional). Defaults to 100, which is also the maximum numberallowed.

Returns:

A page of OIDC provider config instances.

Return type:

ListProviderConfigsPage

Raises:

• ValueError – Ifmax_results orpage_token are invalid.

• FirebaseError – If an error occurs while retrieving the OIDC provider configs.

list_saml_provider_configs(page_token=None,max_results=100)

Retrieves a page of SAML provider configs from a Firebase project.

Thepage_token argument governs the starting point of the page. Themax_resultsargument governs the maximum number of configs that may be included in the returnedpage. This function never returnsNone. If there are no SAML configs in the Firebaseproject, this returns an empty page.

Parameters:

• page_token – A non-empty page token string, which indicates the starting point of thepage (optional). Defaults toNone, which will retrieve the first page of users.

• max_results – A positive integer indicating the maximum number of users to include inthe returned page (optional). Defaults to 100, which is also the maximum numberallowed.

Returns:

A page of SAML provider config instances.

Return type:

ListProviderConfigsPage

Raises:

• ValueError – Ifmax_results orpage_token are invalid.

• FirebaseError – If an error occurs while retrieving the SAML provider configs.

list_users(page_token=None,max_results=1000)

Retrieves a page of user accounts from a Firebase project.

Thepage_token argument governs the starting point of the page. Themax_resultsargument governs the maximum number of user accounts that may be included in the returnedpage. This function never returnsNone. If there are no user accounts in the Firebaseproject, this returns an empty page.

Parameters:

• page_token – A non-empty page token string, which indicates the starting point of thepage (optional). Defaults toNone, which will retrieve the first page of users.

• max_results – A positive integer indicating the maximum number of users to include inthe returned page (optional). Defaults to 1000, which is also the maximum numberallowed.

Returns:

A page of user accounts.

Return type:

ListUsersPage

Raises:

• ValueError – If max_results or page_token are invalid.

• FirebaseError – If an error occurs while retrieving the user accounts.

revoke_refresh_tokens(uid)

Revokes all refresh tokens for an existing user.

This method updates the user’stokens_valid_after_timestamp to the current UTCin seconds since the epoch. It is important that the server on which this is called has itsclock set correctly and synchronized.

While this revokes all sessions for a specified user and disables any new ID tokens forexisting sessions from getting minted, existing ID tokens may remain active until theirnatural expiration (one hour). To verify that ID tokens are revoked, useverify_id_token(idToken,check_revoked=True).

Parameters:

uid – A user ID string.

Raises:

• ValueError – If the user ID is None, empty or malformed.

• FirebaseError – If an error occurs while revoking the refresh token.

set_custom_user_claims(uid,custom_claims)

Sets additional claims on an existing user account.

Custom claims set via this function can be used to define user roles and privilege levels.These claims propagate to all the devices where the user is already signed in (after tokenexpiration or when token refresh is forced), and next time the user signs in. The claimscan be accessed via the user’s ID token JWT. If a reserved OIDC claim is specified (sub,iat, iss, etc), an error is thrown. Claims payload must also not be larger then 1000characters when serialized into a JSON string.

Parameters:

• uid – A user ID string.

• custom_claims – A dictionary or a JSON string of custom claims. Pass None to unset anyclaims set previously.

Raises:

• ValueError – If the specified user ID or the custom claims are invalid.

• FirebaseError – If an error occurs while updating the user account.

update_oidc_provider_config(provider_id,client_id=None,issuer=None,display_name=None,enabled=None,client_secret=None,id_token_response_type=None,code_response_type=None)

Updates an existing OIDC provider config with the given parameters.

Parameters:

• provider_id – Provider ID string. Must have the prefixoidc..

• client_id – Client ID of the new config (optional).

• issuer – Issuer of the new config (optional). Must be a valid URL.

• display_name – The user-friendly display name to the current configuration (optional).Passauth.DELETE_ATTRIBUTE to delete the current display name.

• enabled – A boolean indicating whether the provider configuration is enabled or disabled(optional).

• client_secret – A string which sets the client secret for the new provider.This is required for the code flow.

• code_response_type – A boolean which sets whether to enable the code response flow forthe new provider. By default, this is not enabled if no response type is specified.A client secret must be set for this response type.Having both the code and ID token response flows is currently not supported.

• id_token_response_type – A boolean which sets whether to enable the ID token responseflow for the new provider. By default, this is enabled if no response type isspecified.Having both the code and ID token response flows is currently not supported.

Returns:

The updated OIDC provider config instance.

Return type:

OIDCProviderConfig

Raises:

• ValueError – If any of the specified input parameters are invalid.

• FirebaseError – If an error occurs while updating the OIDC provider config.

update_saml_provider_config(provider_id,idp_entity_id=None,sso_url=None,x509_certificates=None,rp_entity_id=None,callback_url=None,display_name=None,enabled=None)

Updates an existing SAML provider config with the given parameters.

Parameters:

• provider_id – Provider ID string. Must have the prefixsaml..

• idp_entity_id – The SAML IdP entity identifier (optional).

• sso_url – The SAML IdP SSO URL. Must be a valid URL (optional).

• x509_certificates – The list of SAML IdP X.509 certificates issued by CA for thisprovider (optional).

• rp_entity_id – The SAML relying party entity ID (optional).

• callback_url – Callback URL string (optional).

• display_name – The user-friendly display name of the current configuration (optional).Passauth.DELETE_ATTRIBUTE to delete the current display name.

• enabled – A boolean indicating whether the provider configuration is enabled or disabled(optional).

Returns:

The updated SAML provider config instance.

Return type:

SAMLProviderConfig

Raises:

• ValueError – If any of the specified input parameters are invalid.

• FirebaseError – If an error occurs while updating the SAML provider config.

update_user(uid,**kwargs)

Updates an existing user account with the specified properties.

Parameters:

• uid – A user ID string.

• **kwargs – A series of keyword arguments (optional).

Keyword Arguments:

• display_name – The user’s display name (optional). Can be removed by explicitly passingauth.DELETE_ATTRIBUTE.

• email – The user’s primary email (optional).

• email_verified – A boolean indicating whether or not the user’s primary email isverified (optional).

• phone_number – The user’s primary phone number (optional). Can be removed by explicitlypassingauth.DELETE_ATTRIBUTE.

• photo_url – The user’s photo URL (optional). Can be removed by explicitly passingauth.DELETE_ATTRIBUTE.

• password – The user’s raw, unhashed password. (optional).

• disabled – A boolean indicating whether or not the user account is disabled (optional).

• custom_claims – A dictionary or a JSON string contining the custom claims to be set onthe user account (optional). To remove all custom claims, passauth.DELETE_ATTRIBUTE.

• valid_since – An integer signifying the seconds since the epoch (optional). This fieldis set byrevoke_refresh_tokens and it is discouraged to set this fielddirectly.

• providers_to_delete – The list of provider IDs to unlink,eg: ‘google.com’, ‘password’, etc.

Returns:

An updated UserRecord instance for the user.

Return type:

UserRecord

Raises:

• ValueError – If the specified user ID or properties are invalid.

• FirebaseError – If an error occurs while updating the user account.

verify_id_token(id_token,check_revoked=False,clock_skew_seconds=0)

Verifies the signature and data for the provided JWT.

Accepts a signed token string, verifies that it is current, was issuedto this project, and that it was correctly signed by Google.

Parameters:

• id_token – A string of the encoded JWT.

• check_revoked – Boolean, If true, checks whether the token has been revoked orthe user disabled (optional).

• clock_skew_seconds – The number of seconds to tolerate when checking the token.Must be between 0-60. Defaults to 0.

Returns:

A dictionary of key-value pairs parsed from the decoded JWT.

Return type:

dict

Raises:

• ValueError – Ifid_token is a not a string or is empty.

• InvalidIdTokenError – Ifid_token is not a valid Firebase ID token.

• ExpiredIdTokenError – If the specified ID token has expired.

• RevokedIdTokenError – Ifcheck_revoked isTrue and the ID token has been revoked.

• TenantIdMismatchError – Ifid_token belongs to a tenant that is different than thisClient instance.

• CertificateFetchError – If an error occurs while fetching the public key certificates required to verify the ID token.

• UserDisabledError – Ifcheck_revoked isTrue and the corresponding user record is disabled.

Bases:object

Represents the result of theauth.delete_users() API.

Bases:UserIdentifier

Used for looking up an account by email.

Seeauth.get_user().

Bases:object

Represents an error encountered while performing a batch operation suchas importing users or deleting multiple user accounts.

Bases:UserRecord

Contains metadata associated with a user including password hash and salt.

Bases:object

Represents the result of theauth.get_users() API.

Bases:object

Represents a user account to be imported to Firebase Auth.

Must specify theuid field at a minimum. A sequence ofImportUserRecord objects can bepassed to theauth.import_users() function, in order to import those users into FirebaseAuth in bulk. If thepassword_hash is set on a user, a hash configuration must bespecified when callingimport_users().

Parameters:

• uid – User’s unique ID. Must be a non-empty string not longer than 128 characters.

• email – User’s email address (optional).

• email_verified – A boolean indicating whether the user’s email has been verified (optional).

• display_name – User’s display name (optional).

• phone_number – User’s phone number (optional).

• photo_url – User’s photo URL (optional).

• disabled – A boolean indicating whether this user account has been disabled (optional).

• user_metadata – Anauth.UserMetadata instance with additional user metadata (optional).

• provider_data – A list ofauth.UserProvider instances (optional).

• custom_claims – Adict of custom claims to be set on the user account (optional).

• password_hash – User’s password hash as abytes sequence (optional).

• password_salt – User’s password salt as abytes sequence (optional).

Raises:

ValueError – If provided arguments are invalid.

to_dict()

Returns a dict representation of the user. For internal use only.

Bases:object

Represents a page of AuthProviderConfig instances retrieved from a Firebase project.

Provides methods for traversing the provider configs included in this page, as well asretrieving subsequent pages. The iterator returned byiterate_all() can be used to iteratethrough all provider configs in the Firebase project starting from this page.

get_next_page()

Retrieves the next page of provider configs, if available.

Returns:

Next page of provider configs, or None if this is the lastpage.

Return type:

ListProviderConfigsPage

iterate_all()

Retrieves an iterator for provider configs.

Returned iterator will iterate through all the provider configs in the Firebase projectstarting from this page. The iterator will never buffer more than one page of configsin memory at a time.

Returns:

An iterator of AuthProviderConfig instances.

Return type:

iterator

Bases:object

Represents a page of user records exported from a Firebase project.

Provides methods for traversing the user accounts included in this page, as well as retrievingsubsequent pages of users. The iterator returned byiterate_all() can be used to iteratethrough all users in the Firebase project starting from this page.

get_next_page()

Retrieves the next page of user accounts, if available.

Returns:

Next page of users, or None if this is the last page.

Return type:

ListUsersPage

iterate_all()

Retrieves an iterator for user accounts.

Returned iterator will iterate through all the user accounts in the Firebase projectstarting from this page. The iterator will never buffer more than one page of usersin memory at a time.

Returns:

An iterator of ExportedUserRecord instances.

Return type:

iterator

Bases:ProviderConfig

Represents the OIDC auth provider configuration.

Seehttps://openid.net/specs/openid-connect-core-1_0-final.html.

Bases:UserIdentifier

Used for looking up an account by phone number.

Seeauth.get_user().

Bases:object

Parent type for all authentication provider config types.

Bases:UserIdentifier

Used for looking up an account by provider.

Seeauth.get_user().

Bases:ProviderConfig

Represents he SAML auth provider configuration.

Seehttp://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html.

Bases:UserIdentifier

Used for looking up an account by uid.

Seeauth.get_user().

Bases:object

Identifies a user to be looked up.

Bases:object

Represents a hash algorithm used to hash user passwords.

An instance of this class must be specified when importing users with passwords via theauth.import_users() API. Use one of the provided class methods to obtain newinstances when required. Refer todocumentation for more details.

classmethodbcrypt()

Creates a new Bcrypt algorithm instance.

Returns:

A newUserImportHash.

Return type:

UserImportHash

classmethodhmac_md5(key)

Creates a new HMAC MD5 algorithm instance.

Parameters:

key – Signer key as a byte sequence.

Returns:

A newUserImportHash.

Return type:

UserImportHash

classmethodhmac_sha1(key)

Creates a new HMAC SHA1 algorithm instance.

Parameters:

key – Signer key as a byte sequence.

Returns:

A newUserImportHash.

Return type:

UserImportHash

classmethodhmac_sha256(key)

Creates a new HMAC SHA256 algorithm instance.

Parameters:

key – Signer key as a byte sequence.

Returns:

A newUserImportHash.

Return type:

UserImportHash

classmethodhmac_sha512(key)

Creates a new HMAC SHA512 algorithm instance.

Parameters:

key – Signer key as a byte sequence.

Returns:

A newUserImportHash.

Return type:

UserImportHash

classmethodmd5(rounds)

Creates a new MD5 algorithm instance.

Parameters:

rounds – Number of rounds. Must be an integer between 0 and 8192.

Returns:

A newUserImportHash.

Return type:

UserImportHash

classmethodpbkdf2_sha256(rounds)

Creates a new PBKDF2 SHA256 algorithm instance.

Parameters:

rounds – Number of rounds. Must be an integer between 0 and 120000.

Returns:

A newUserImportHash.

Return type:

UserImportHash

classmethodpbkdf_sha1(rounds)

Creates a new PBKDF SHA1 algorithm instance.

Parameters:

rounds – Number of rounds. Must be an integer between 0 and 120000.

Returns:

A newUserImportHash.

Return type:

UserImportHash

classmethodscrypt(key,rounds,memory_cost,salt_separator=None)

Creates a new Scrypt algorithm instance.

This is the modified Scrypt algorithm used by Firebase Auth. Seestandard_scrypt()function for the standard Scrypt algorith,

Parameters:

• key – Signer key as a byte sequence.

• rounds – Number of rounds. Must be an integer between 1 and 8.

• memory_cost – Memory cost as an integer between 1 and 14.

• salt_separator – Salt separator as a byte sequence (optional).

Returns:

A newUserImportHash.

Return type:

UserImportHash

classmethodsha1(rounds)

Creates a new SHA1 algorithm instance.

Parameters:

rounds – Number of rounds. Must be an integer between 1 and 8192.

Returns:

A newUserImportHash.

Return type:

UserImportHash

classmethodsha256(rounds)

Creates a new SHA256 algorithm instance.

Parameters:

rounds – Number of rounds. Must be an integer between 1 and 8192.

Returns:

A newUserImportHash.

Return type:

UserImportHash

classmethodsha512(rounds)

Creates a new SHA512 algorithm instance.

Parameters:

rounds – Number of rounds. Must be an integer between 1 and 8192.

Returns:

A newUserImportHash.

Return type:

UserImportHash

classmethodstandard_scrypt(memory_cost,parallelization,block_size,derived_key_length)

Creates a new standard Scrypt algorithm instance.

Parameters:

• memory_cost – CPU Memory cost as a non-negative integer.

• parallelization – Parallelization as a non-negative integer.

• block_size – Block size as a non-negative integer.

• derived_key_length – Derived key length as a non-negative integer.

Returns:

A newUserImportHash.

Return type:

UserImportHash

to_dict()

Bases:object

Represents the result of a bulk user import operation.

Seeauth.import_users() API for more details.

Bases:object

A collection of standard profile information for a user.

Used to expose profile information returned by an identity provider.

Bases:object

Contains additional metadata associated with a user account.

Bases:object

Represents a user identity provider that can be associated with a Firebase user.

One or more providers can be specified in anImportUserRecord when importing users viaauth.import_users().

Parameters:

• uid – User’s unique ID assigned by the identity provider.

• provider_id – ID of the identity provider. This can be a short domain name or the identifierof an OpenID identity provider.

• email – User’s email address (optional).

• display_name – User’s display name (optional).

• photo_url – User’s photo URL (optional).

to_dict()

Bases:UserInfo

Contains metadata associated with a Firebase user account.

Builds and signs a Firebase custom auth token.

Parameters:

• uid – ID of the user for whom the token is created.

• developer_claims – A dictionary of claims to be included in the token(optional).

• app – An App instance (optional).

Returns:

A token minted from the input parameters.

Return type:

bytes

Raises:

• ValueError – If input parameters are invalid.

• TokenSignError – If an error occurs while signing the token using the remote IAM service.

Creates a new OIDC provider config from the given parameters.

OIDC provider support requires Google Cloud’s Identity Platform (GCIP). To learn more aboutGCIP, including pricing and features, seehttps://cloud.google.com/identity-platform.

Parameters:

• provider_id – Provider ID string. Must have the prefixoidc..

• client_id – Client ID of the new config.

• issuer – Issuer of the new config. Must be a valid URL.

• display_name – The user-friendly display name to the current configuration (optional).This name is also used as the provider label in the Cloud Console.

• enabled – A boolean indicating whether the provider configuration is enabled or disabled(optional). A user cannot sign in using a disabled provider.

• app – An App instance (optional).

• client_secret – A string which sets the client secret for the new provider.This is required for the code flow.

• code_response_type – A boolean which sets whether to enable the code response flow for thenew provider. By default, this is not enabled if no response type is specified.A client secret must be set for this response type.Having both the code and ID token response flows is currently not supported.

• id_token_response_type – A boolean which sets whether to enable the ID token response flowfor the new provider. By default, this is enabled if no response type is specified.Having both the code and ID token response flows is currently not supported.

Returns:

The newly created OIDC provider config instance.

Return type:

OIDCProviderConfig

Raises:

• ValueError – If any of the specified input parameters are invalid.

• FirebaseError – If an error occurs while creating the new OIDC provider config.

Creates a new SAML provider config from the given parameters.

SAML provider support requires Google Cloud’s Identity Platform (GCIP). To learn more aboutGCIP, including pricing and features, seehttps://cloud.google.com/identity-platform.

Parameters:

• provider_id – Provider ID string. Must have the prefixsaml..

• idp_entity_id – The SAML IdP entity identifier.

• sso_url – The SAML IdP SSO URL. Must be a valid URL.

• x509_certificates – The list of SAML IdP X.509 certificates issued by CA for this provider.Multiple certificates are accepted to prevent outages during IdP key rotation (forexample ADFS rotates every 10 days). When the Auth server receives a SAML response, itwill match the SAML response with the certificate on record. Otherwise the response isrejected. Developers are expected to manage the certificate updates as keys arerotated.

• rp_entity_id – The SAML relying party (service provider) entity ID. This is defined by thedeveloper but needs to be provided to the SAML IdP.

• callback_url – Callback URL string. This is fixed and must always be the same as the OAuthredirect URL provisioned by Firebase Auth, unless a custom authDomain is used.

• display_name – The user-friendly display name to the current configuration (optional). Thisname is also used as the provider label in the Cloud Console.

• enabled – A boolean indicating whether the provider configuration is enabled or disabled(optional). A user cannot sign in using a disabled provider.

• app – An App instance (optional).

Returns:

The newly created SAML provider config instance.

Return type:

SAMLProviderConfig

Raises:

• ValueError – If any of the specified input parameters are invalid.

• FirebaseError – If an error occurs while creating the new SAML provider config.

Creates a new Firebase session cookie from the given ID token and options.

The returned JWT can be set as a server-side session cookie with a custom cookie policy.

Parameters:

• id_token – The Firebase ID token to exchange for a session cookie.

• expires_in – Duration until the cookie is expired. This can be specifiedas a numeric seconds value or adatetime.timedelta instance.

• app – An App instance (optional).

Returns:

A session cookie generated from the input parameters.

Return type:

bytes

Raises:

• ValueError – If input parameters are invalid.

• FirebaseError – If an error occurs while creating the cookie.

Creates a new user account with the specified properties.

Parameters:

**kwargs – A series of keyword arguments (optional).

Keyword Arguments:

• uid – User ID to assign to the newly created user (optional).

• display_name – The user’s display name (optional).

• email – The user’s primary email (optional).

• email_verified – A boolean indicating whether or not the user’s primary email isverified (optional).

• phone_number – The user’s primary phone number (optional).

• photo_url – The user’s photo URL (optional).

• password – The user’s raw, unhashed password. (optional).

• disabled – A boolean indicating whether or not the user account is disabled (optional).

• app – An App instance (optional).

Returns:

A user record instance for the newly created user.

Return type:

UserRecord

Raises:

• ValueError – If the specified user properties are invalid.

• FirebaseError – If an error occurs while creating the user account.

Deletes theOIDCProviderConfig with the given ID.

Parameters:

• provider_id – Provider ID string.

• app – An App instance (optional).

Raises:

• ValueError – If the provider ID is invalid, empty or does not haveoidc. prefix.

• ConfigurationNotFoundError – If no OIDC provider is available with the given identifier.

• FirebaseError – If an error occurs while deleting the OIDC provider.

Deletes theSAMLProviderConfig with the given ID.

Parameters:

• provider_id – Provider ID string.

• app – An App instance (optional).

Raises:

• ValueError – If the provider ID is invalid, empty or does not havesaml. prefix.

• ConfigurationNotFoundError – If no SAML provider is available with the given identifier.

• FirebaseError – If an error occurs while deleting the SAML provider.

Deletes the user identified by the specified user ID.

Parameters:

• uid – A user ID string.

• app – An App instance (optional).

Raises:

• ValueError – If the user ID is None, empty or malformed.

• FirebaseError – If an error occurs while deleting the user account.

Deletes the users specified by the given identifiers.

Deleting a non-existing user does not generate an error (the method isidempotent.) Non-existing users are considered to be successfully deletedand are therefore included in theDeleteUserResult.success_count value.

A maximum of 1000 identifiers may be supplied. If more than 1000identifiers are supplied, this method raises aValueError.

Parameters:

• uids – A list of strings indicating the uids of the users to be deleted.Must have <= 1000 entries.

• app – An App instance (optional).

Returns:

The total number of successful/failed deletions, aswell as the array of errors that correspond to the failed deletions.

Return type:

DeleteUsersResult

Raises:

ValueError – If any of the identifiers are invalid or if more than 1000 identifiers are specified.

Generates the out-of-band email action link for email verification flows for the specifiedemail address.

Parameters:

• email – The email of the user to be verified.

• action_code_settings –ActionCodeSettings instance (optional). Defines whetherthe link is to be handled by a mobile app and the additional state information to bepassed in the deep link.

• app – An App instance (optional).

Returns:

The email verification link created by the API

Return type:

link

Raises:

• ValueError – If the provided arguments are invalid

• FirebaseError – If an error occurs while generating the link

Generates the out-of-band email action link for password reset flows for the specified emailaddress.

Parameters:

• email – The email of the user whose password is to be reset.

• action_code_settings –ActionCodeSettings instance (optional). Defines whetherthe link is to be handled by a mobile app and the additional state information to bepassed in the deep link.

• app – An App instance (optional).

Returns:

The password reset link created by the API

Return type:

link

Raises:

• ValueError – If the provided arguments are invalid

• FirebaseError – If an error occurs while generating the link

Generates the out-of-band email action link for email link sign-in flows, using the actioncode settings provided.

Parameters:

• email – The email of the user signing in.

• action_code_settings –ActionCodeSettings instance. Defines whetherthe link is to be handled by a mobile app and the additional state information to bepassed in the deep link.

• app – An App instance (optional).

Returns:

The email sign-in link created by the API

Return type:

link

Raises:

• ValueError – If the provided arguments are invalid

• FirebaseError – If an error occurs while generating the link

Returns theOIDCProviderConfig with the given ID.

Parameters:

• provider_id – Provider ID string.

• app – An App instance (optional).

Returns:

An OIDC provider config instance.

Return type:

OIDCProviderConfig

Raises:

• ValueError – If the provider ID is invalid, empty or does not haveoidc. prefix.

• ConfigurationNotFoundError – If no OIDC provider is available with the given identifier.

• FirebaseError – If an error occurs while retrieving the OIDC provider.

Returns theSAMLProviderConfig with the given ID.

Parameters:

• provider_id – Provider ID string.

• app – An App instance (optional).

Returns:

A SAML provider config instance.

Return type:

SAMLProviderConfig

Raises:

• ValueError – If the provider ID is invalid, empty or does not havesaml. prefix.

• ConfigurationNotFoundError – If no SAML provider is available with the given identifier.

• FirebaseError – If an error occurs while retrieving the SAML provider.

Gets the user data corresponding to the specified user ID.

Parameters:

• uid – A user ID string.

• app – An App instance (optional).

Returns:

A user record instance.

Return type:

UserRecord

Raises:

• ValueError – If the user ID is None, empty or malformed.

• UserNotFoundError – If the specified user ID does not exist.

• FirebaseError – If an error occurs while retrieving the user.

Gets the user data corresponding to the specified user email.

Parameters:

• email – A user email address string.

• app – An App instance (optional).

Returns:

A user record instance.

Return type:

UserRecord

Raises:

• ValueError – If the email is None, empty or malformed.

• UserNotFoundError – If no user exists by the specified email address.

• FirebaseError – If an error occurs while retrieving the user.

Gets the user data corresponding to the specified phone number.

Parameters:

• phone_number – A phone number string.

• app – An App instance (optional).

Returns:

A user record instance.

Return type:

UserRecord

Raises:

• ValueError – If the phone number is None, empty or malformed.

• UserNotFoundError – If no user exists by the specified phone number.

• FirebaseError – If an error occurs while retrieving the user.

Gets the user data corresponding to the specified identifiers.

There are no ordering guarantees; in particular, the nth entry in theresult list is not guaranteed to correspond to the nth entry in the inputparameters list.

A maximum of 100 identifiers may be supplied. If more than 100identifiers are supplied, this method raises aValueError.

Parameters:

• identifiers (list[UserIdentifier]) – A list ofUserIdentifierinstances used to indicate which user records should be returned.Must have <= 100 entries.

• app – An App instance (optional).

Returns:

AGetUsersResult instance corresponding to thespecified identifiers.

Return type:

GetUsersResult

Raises:

ValueError – If any of the identifiers are invalid or if more than 100 identifiers are specified.

Imports the specified list of users into Firebase Auth.

At most 1000 users can be imported at a time. This operation is optimized for bulk imports andwill ignore checks on identifier uniqueness which could result in duplications. Thehash_alg parameter must be specified when importing users with passwords. Refer to theUserImportHash class for supported hash algorithms.

Parameters:

• users – A list ofImportUserRecord instances to import. Length of the list must notexceed 1000.

• hash_alg – AUserImportHash object (optional). Required when importing users withpasswords.

• app – An App instance (optional).

Returns:

An object summarizing the result of the import operation.

Return type:

UserImportResult

Raises:

• ValueError – If the provided arguments are invalid.

• FirebaseError – If an error occurs while importing users.

Retrieves a page of SAML provider configs from a Firebase project.

Thepage_token argument governs the starting point of the page. Themax_resultsargument governs the maximum number of configs that may be included in the returnedpage. This function never returnsNone. If there are no SAML configs in the Firebaseproject, this returns an empty page.

Parameters:

• page_token – A non-empty page token string, which indicates the starting point of thepage (optional). Defaults toNone, which will retrieve the first page of users.

• max_results – A positive integer indicating the maximum number of users to include inthe returned page (optional). Defaults to 100, which is also the maximum numberallowed.

• app – An App instance (optional).

Returns:

A page of SAML provider config instances.

Return type:

ListProviderConfigsPage

Raises:

• ValueError – Ifmax_results orpage_token are invalid.

• FirebaseError – If an error occurs while retrieving the SAML provider configs.

Retrieves a page of user accounts from a Firebase project.

Thepage_token argument governs the starting point of the page. Themax_resultsargument governs the maximum number of user accounts that may be included in the returned page.This function never returns None. If there are no user accounts in the Firebase project, thisreturns an empty page.

Parameters:

• page_token – A non-empty page token string, which indicates the starting point of the page(optional). Defaults toNone, which will retrieve the first page of users.

• max_results – A positive integer indicating the maximum number of users to include in thereturned page (optional). Defaults to 1000, which is also the maximum number allowed.

• app – An App instance (optional).

Returns:

A page of user accounts.

Return type:

ListUsersPage

Raises:

• ValueError – Ifmax_results orpage_token are invalid.

• FirebaseError – If an error occurs while retrieving the user accounts.

Revokes all refresh tokens for an existing user.

This function updates the user’stokens_valid_after_timestamp to the current UTCin seconds since the epoch. It is important that the server on which this is called has itsclock set correctly and synchronized.

While this revokes all sessions for a specified user and disables any new ID tokens forexisting sessions from getting minted, existing ID tokens may remain active until theirnatural expiration (one hour). To verify that ID tokens are revoked, useverify_id_token(idToken,check_revoked=True).

Parameters:

• uid – A user ID string.

• app – An App instance (optional).

Raises:

• ValueError – If the user ID is None, empty or malformed.

• FirebaseError – If an error occurs while revoking the refresh token.

Sets additional claims on an existing user account.

Custom claims set via this function can be used to define user roles and privilege levels.These claims propagate to all the devices where the user is already signed in (after tokenexpiration or when token refresh is forced), and next time the user signs in. The claimscan be accessed via the user’s ID token JWT. If a reserved OIDC claim is specified (sub, iat,iss, etc), an error is thrown. Claims payload must also not be larger then 1000 characterswhen serialized into a JSON string.

Parameters:

• uid – A user ID string.

• custom_claims – A dictionary or a JSON string of custom claims. Pass None to unset anyclaims set previously.

• app – An App instance (optional).

Raises:

• ValueError – If the specified user ID or the custom claims are invalid.

• FirebaseError – If an error occurs while updating the user account.

Updates an existing OIDC provider config with the given parameters.

Parameters:

• provider_id – Provider ID string. Must have the prefixoidc..

• client_id – Client ID of the new config (optional).

• issuer – Issuer of the new config (optional). Must be a valid URL.

• display_name – The user-friendly display name of the current configuration (optional).Passauth.DELETE_ATTRIBUTE to delete the current display name.

• enabled – A boolean indicating whether the provider configuration is enabled or disabled(optional).

• app – An App instance (optional).

• client_secret – A string which sets the client secret for the new provider.This is required for the code flow.

• code_response_type – A boolean which sets whether to enable the code response flow for thenew provider. By default, this is not enabled if no response type is specified.A client secret must be set for this response type.Having both the code and ID token response flows is currently not supported.

• id_token_response_type – A boolean which sets whether to enable the ID token response flowfor the new provider. By default, this is enabled if no response type is specified.Having both the code and ID token response flows is currently not supported.

Returns:

The updated OIDC provider config instance.

Return type:

OIDCProviderConfig

Raises:

• ValueError – If any of the specified input parameters are invalid.

• FirebaseError – If an error occurs while updating the OIDC provider config.

Updates an existing SAML provider config with the given parameters.

Parameters:

• provider_id – Provider ID string. Must have the prefixsaml..

• idp_entity_id – The SAML IdP entity identifier (optional).

• sso_url – The SAML IdP SSO URL. Must be a valid URL (optional).

• x509_certificates – The list of SAML IdP X.509 certificates issued by CA for thisprovider (optional).

• rp_entity_id – The SAML relying party entity ID (optional).

• callback_url – Callback URL string (optional).

• display_name – The user-friendly display name of the current configuration (optional).Passauth.DELETE_ATTRIBUTE to delete the current display name.

• enabled – A boolean indicating whether the provider configuration is enabled or disabled(optional).

• app – An App instance (optional).

Returns:

The updated SAML provider config instance.

Return type:

SAMLProviderConfig

Raises:

• ValueError – If any of the specified input parameters are invalid.

• FirebaseError – If an error occurs while updating the SAML provider config.

Updates an existing user account with the specified properties.

Parameters:

• uid – A user ID string.

• **kwargs – A series of keyword arguments (optional).

Keyword Arguments:

• display_name – The user’s display name (optional). Can be removed by explicitly passingauth.DELETE_ATTRIBUTE.

• email – The user’s primary email (optional).

• email_verified – A boolean indicating whether or not the user’s primary email isverified (optional).

• phone_number – The user’s primary phone number (optional). Can be removed by explicitlypassingauth.DELETE_ATTRIBUTE.

• photo_url – The user’s photo URL (optional). Can be removed by explicitly passingauth.DELETE_ATTRIBUTE.

• password – The user’s raw, unhashed password. (optional).

• disabled – A boolean indicating whether or not the user account is disabled (optional).

• custom_claims – A dictionary or a JSON string containing the custom claims to be set on theuser account (optional). To remove all custom claims, passauth.DELETE_ATTRIBUTE.

• valid_since – An integer signifying the seconds since the epoch (optional). This field isset byrevoke_refresh_tokens and it is discouraged to set this field directly.

• app – An App instance (optional).

Returns:

An updated user record instance for the user.

Return type:

UserRecord

Raises:

• ValueError – If the specified user ID or properties are invalid.

• FirebaseError – If an error occurs while updating the user account.

Verifies the signature and data for the provided JWT.

Accepts a signed token string, verifies that it is current, and issuedto this project, and that it was correctly signed by Google.

Parameters:

• id_token – A string of the encoded JWT.

• app – An App instance (optional).

• check_revoked – Boolean, If true, checks whether the token has been revoked orthe user disabled (optional).

• clock_skew_seconds – The number of seconds to tolerate when checking the token.Must be between 0-60. Defaults to 0.

Returns:

A dictionary of key-value pairs parsed from the decoded JWT.

Return type:

dict

Raises:

• ValueError – Ifid_token is a not a string or is empty.

• InvalidIdTokenError – Ifid_token is not a valid Firebase ID token.

• ExpiredIdTokenError – If the specified ID token has expired.

• RevokedIdTokenError – Ifcheck_revoked isTrue and the ID token has been revoked.

• CertificateFetchError – If an error occurs while fetching the public key certificates required to verify the ID token.

• UserDisabledError – Ifcheck_revoked isTrue and the corresponding user record is disabled.

Verifies a Firebase session cookie.

Accepts a session cookie string, verifies that it is current, and issuedto this project, and that it was correctly signed by Google.

Parameters:

• session_cookie – A session cookie string to verify.

• check_revoked – Boolean, if true, checks whether the cookie has been revoked or theuser disabled (optional).

• app – An App instance (optional).

• clock_skew_seconds – The number of seconds to tolerate when checking the cookie.

Returns:

A dictionary of key-value pairs parsed from the decoded JWT.

Return type:

dict

Raises:

• ValueError – Ifsession_cookie is a not a string or is empty.

• InvalidSessionCookieError – Ifsession_cookie is not a valid Firebase session cookie.

• ExpiredSessionCookieError – If the specified session cookie has expired.

• RevokedSessionCookieError – Ifcheck_revoked isTrue and the cookie has been revoked.

• CertificateFetchError – If an error occurs while fetching the public key certificates required to verify the session cookie.

• UserDisabledError – Ifcheck_revoked isTrue and the corresponding user record is disabled.