Index
-
AccountManagementService(interface) -
AuthenticationService(interface) -
AutoRetrievalInfo(message) -
ClientType(enum) -
FinalizeMfaEnrollmentRequest(message) -
FinalizeMfaEnrollmentResponse(message) -
FinalizeMfaPhoneRequestInfo(message) -
FinalizeMfaPhoneResponseInfo(message) -
FinalizeMfaSignInRequest(message) -
FinalizeMfaSignInResponse(message) -
FinalizeMfaTotpEnrollmentRequestInfo(message) -
FinalizeMfaTotpEnrollmentResponseInfo(message) -
GetPasswordPolicyRequest(message) -
GetRecaptchaConfigRequest(message) -
MfaTotpSignInRequestInfo(message) -
PasswordPolicy(message) -
PasswordPolicy.CustomStrengthOptions(message) -
PasswordPolicy.EnforcementState(enum) -
RecaptchaConfig(message) -
RecaptchaEnforcementState(message) -
RecaptchaEnforcementState.EnforcementState(enum) -
RecaptchaEnforcementState.RecaptchaProvider(enum) -
RecaptchaVersion(enum) -
RevokeTokenRequest(message) -
RevokeTokenRequest.TokenType(enum) -
RevokeTokenResponse(message) -
StartMfaEnrollmentRequest(message) -
StartMfaEnrollmentResponse(message) -
StartMfaPhoneRequestInfo(message) -
StartMfaPhoneResponseInfo(message) -
StartMfaSignInRequest(message) -
StartMfaSignInResponse(message) -
StartMfaTotpEnrollmentRequestInfo(message) -
StartMfaTotpEnrollmentResponseInfo(message) -
WithdrawMfaRequest(message) -
WithdrawMfaResponse(message)
AccountManagementService
Account management for Identity Toolkit
rpc FinalizeMfaEnrollment(
FinalizeMfaEnrollmentRequest
) returns ( FinalizeMfaEnrollmentResponse
)
Finishes enrolling a second factor for the user.
- Authorization scopes
-
Requires one of the following OAuth scopes:
-
https://www.googleapis.com/auth/identitytoolkit -
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview .
-
rpc StartMfaEnrollment(
StartMfaEnrollmentRequest
) returns ( StartMfaEnrollmentResponse
)
Step one of the MFA enrollment process. In SMS case, this sends an SMS verification code to the user.
- Authorization scopes
-
Requires one of the following OAuth scopes:
-
https://www.googleapis.com/auth/identitytoolkit -
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview .
-
rpc WithdrawMfa(
WithdrawMfaRequest
) returns ( WithdrawMfaResponse
)
Revokes one second factor from the enrolled second factors for an account.
- Authorization scopes
-
Requires one of the following OAuth scopes:
-
https://www.googleapis.com/auth/identitytoolkit -
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview .
-
AuthenticationService
Authentication for Identity Toolkit
rpc FinalizeMfaSignIn(
FinalizeMfaSignInRequest
) returns ( FinalizeMfaSignInResponse
)
Verifies the MFA challenge and performs sign-in
- Authorization scopes
-
Requires one of the following OAuth scopes:
-
https://www.googleapis.com/auth/identitytoolkit -
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview .
-
rpc GetPasswordPolicy(
GetPasswordPolicyRequest
) returns ( PasswordPolicy
)
Gets password policy config set on the project or tenant.
- Authorization scopes
-
Requires one of the following OAuth scopes:
-
https://www.googleapis.com/auth/identitytoolkit -
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview .
-
rpc GetRecaptchaConfig(
GetRecaptchaConfigRequest
) returns ( RecaptchaConfig
)
Gets parameters needed for reCAPTCHA analysis.
- Authorization scopes
-
Requires one of the following OAuth scopes:
-
https://www.googleapis.com/auth/identitytoolkit -
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview .
-
rpc RevokeToken(
RevokeTokenRequest
) returns ( RevokeTokenResponse
)
Revokes a user's token from an Identity Provider (IdP). This is done by manually providing an IdP credential, and the token types for revocation.
An API key is required in the request in order to identify the Google Cloud project.
- Authorization scopes
-
Requires one of the following OAuth scopes:
-
https://www.googleapis.com/auth/identitytoolkit -
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview .
-
rpc StartMfaSignIn(
StartMfaSignInRequest
) returns ( StartMfaSignInResponse
)
Sends the MFA challenge
- Authorization scopes
-
Requires one of the following OAuth scopes:
-
https://www.googleapis.com/auth/identitytoolkit -
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview .
-
AutoRetrievalInfo
The information required to auto-retrieve an SMS.
| Fields | |
|---|---|
app_signature_hash
|
The Android app's signature hash for Google Play Service's SMS Retriever API. |
ClientType
The client's platform type: web, android or ios.
| Enums | |
|---|---|
CLIENT_TYPE_UNSPECIFIED
|
Client type is not specified. |
CLIENT_TYPE_WEB
|
Client type is web. |
CLIENT_TYPE_ANDROID
|
Client type is android. |
CLIENT_TYPE_IOS
|
Client type is ios. |
FinalizeMfaEnrollmentRequest
Finishes enrolling a second factor for the user.
id_token
string
Required. ID token.
display_name
string
Display name which is entered by users to distinguish between different second factors with same type or different type.
tenant_id
string
The ID of the Identity Platform tenant that the user enrolling MFA belongs to. If not set, the user belongs to the default Identity Platform project.
verification_info
. MFA enrollment information to be verified. verification_info
can be only one of the following:phone_verification_info
Verification info to authorize sending an SMS for phone verification.
totp_verification_info
FinalizeMfaTotpEnrollmentRequestInfo
Verification information for TOTP.
FinalizeMfaEnrollmentResponse
FinalizeMfaEnrollment response.
id_token
string
ID token updated to reflect MFA enrollment.
refresh_token
string
Refresh token updated to reflect MFA enrollment.
auxiliary_auth_info
. MFA verified enrollment information. auxiliary_auth_info
can be only one of the following:phone_auth_info
Auxiliary auth info specific to phone auth.
totp_auth_info
FinalizeMfaTotpEnrollmentResponseInfo
Auxiliary auth info specific to TOTP auth.
FinalizeMfaPhoneRequestInfo
Phone Verification info for a FinalizeMfa request.
| Fields | |
|---|---|
session_info
|
An opaque string that represents the enrollment session. |
code
|
User-entered verification code. |
android_verification_proof
|
Android only. Uses for "instant" phone number verification though GmsCore. |
phone_number
|
Required if Android verification proof is presented. |
FinalizeMfaPhoneResponseInfo
Phone Verification info for a FinalizeMfa response.
| Fields | |
|---|---|
android_verification_proof
|
Android only. Long-lived replacement for valid code tied to android device. |
android_verification_proof_expire_time
|
Android only. Expiration time of verification proof in seconds. |
phone_number
|
For Android verification proof. |
FinalizeMfaSignInRequest
Finalizes sign-in by verifying MFA challenge.
mfa_pending_credential
string
Required. Pending credential from first factor sign-in.
tenant_id
string
The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform project.
mfa_enrollment_id
string
The MFA enrollment ID from the user's list of current MFA enrollments.
verification_info
. Proof of completion of the MFA challenge. verification_info
can be only one of the following:phone_verification_info
Proof of completion of the SMS based MFA challenge.
totp_verification_info
Proof of completion of the TOTP based MFA challenge.
FinalizeMfaSignInResponse
FinalizeMfaSignIn response.
id_token
string
ID token for the authenticated user.
refresh_token
string
Refresh token for the authenticated user.
auxiliary_auth_info
. MFA verified sign-in information. auxiliary_auth_info
can be only one of the following:phone_auth_info
Extra phone auth info, including android verification proof.
FinalizeMfaTotpEnrollmentRequestInfo
Mfa request info specific to TOTP auth for FinalizeMfa.
| Fields | |
|---|---|
session_info
|
An opaque string that represents the enrollment session. |
verification_code
|
User-entered verification code. |
FinalizeMfaTotpEnrollmentResponseInfo
This type has no fields.
Mfa response info specific to TOTP auth for FinalizeMfa.
GetPasswordPolicyRequest
The request for GetPasswordPolicy.
| Fields | |
|---|---|
tenant_id
|
The id of a tenant. |
GetRecaptchaConfigRequest
The request for GetRecaptchaConfig.
| Fields | |
|---|---|
tenant_id
|
The id of a tenant. |
client_type
|
reCAPTCHA Enterprise uses separate site keys for different client types. Specify the client type to get the corresponding key. |
version
|
The reCAPTCHA version. |
MfaTotpSignInRequestInfo
TOTP verification info for FinalizeMfaSignInRequest.
| Fields | |
|---|---|
verification_code
|
User-entered verification code. |
PasswordPolicy
Configuration for password policy.
| Fields | |
|---|---|
custom_strength_options
|
The custom strength options enforced by the password policy. |
schema_version
|
Output only. schema version number for the password policy |
allowed_non_alphanumeric_characters[]
|
Output only. Allowed characters which satisfy the non_alphanumeric requirement. |
enforcement_state
|
Output only. Which enforcement mode to use for the password policy. |
force_upgrade_on_signin
|
Users must have a password compliant with the password policy to sign-in. |
CustomStrengthOptions
Custom strength options to enforce on user passwords.
| Fields | |
|---|---|
min_password_length
|
Minimum password length. Range from 6 to 30 |
max_password_length
|
Maximum password length. No default max length |
contains_lowercase_character
|
The password must contain a lower case character. |
contains_uppercase_character
|
The password must contain an upper case character. |
contains_numeric_character
|
The password must contain a number. |
contains_non_alphanumeric_character
|
The password must contain a non alpha numeric character. |
EnforcementState
Enforcement state for the password policy
| Enums | |
|---|---|
ENFORCEMENT_STATE_UNSPECIFIED
|
Enforcement state has not been set. |
OFF
|
Password Policy will not be used on the project. |
ENFORCE
|
Passwords non-compliant with the password policy will be rejected with an error thrown. |
RecaptchaConfig
Configuration for reCAPTCHA
| Fields | |
|---|---|
recaptcha_enforcement_state[]
|
The reCAPTCHA enforcement state for the providers that GCIP supports reCAPTCHA protection. |
recaptcha_key
|
The reCAPTCHA Enterprise key resource name, e.g. "projects/{project}/keys/{key}". This will only be returned when the reCAPTCHA enforcement state is AUDIT or ENFORCE on at least one of the reCAPTCHA providers. |
use_sms_bot_score
|
Whether to use the rCE bot score for reCAPTCHA phone provider. |
use_sms_toll_fraud_protection
|
Whether to use the rCE sms toll fraud protection risk score for reCAPTCHA phone provider. |
RecaptchaEnforcementState
Enforcement states for reCAPTCHA protection.
| Fields | |
|---|---|
provider
|
The provider that has reCAPTCHA protection. |
enforcement_state
|
The reCAPTCHA enforcement state for the provider. |
EnforcementState
Enforcement states for reCAPTCHA protection per provider.
| Enums | |
|---|---|
ENFORCEMENT_STATE_UNSPECIFIED
|
Enforcement state has not been set. |
OFF
|
Unenforced. |
AUDIT
|
reCAPTCHA assessment is created, result is not used to enforce. |
ENFORCE
|
reCAPTCHA assessment is created, result is used to enforce. |
RecaptchaProvider
The GCIP providers that support reCAPTCHA protection.
| Enums | |
|---|---|
RECAPTCHA_PROVIDER_UNSPECIFIED
|
reCAPTCHA provider not specified |
EMAIL_PASSWORD_PROVIDER
|
Email password provider |
PHONE_PROVIDER
|
Phone auth provider |
RecaptchaVersion
The reCAPTCHA version.
| Enums | |
|---|---|
RECAPTCHA_VERSION_UNSPECIFIED
|
The reCAPTCHA version is not specified. |
RECAPTCHA_ENTERPRISE
|
The reCAPTCHA enterprise. |
RevokeTokenRequest
Request message for RevokeToken.
| Fields | |
|---|---|
provider_id
|
Required. The idp provider for the token. Currently only supports Apple Idp. The format should be "apple.com". |
token_type
|
Required. The type of the token to be revoked. |
token
|
Required. The token to be revoked. If an authorization_code is passed in, the API will first exchange the code for access token and then revoke the token exchanged. |
id_token
|
Required. A valid Identity Platform ID token to link the account. If there was a successful token revocation request on the account and no tokens are generated after the revocation, the duplicate requests will be ignored and returned immediately. |
tenant_id
|
The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform project. |
redirect_uri
|
The redirect URI provided in the initial authorization request made by the client to the IDP. The URI must use the HTTPS protocol, include a domain name, and can't contain an IP address or localhost. Required if token_type is CODE. |
TokenType
The type of the token to be revoked.
| Enums | |
|---|---|
TOKEN_TYPE_UNSPECIFIED
|
Default value, do not use. |
REFRESH_TOKEN
|
Token type is refresh_token. |
ACCESS_TOKEN
|
Token type is access_token. |
CODE
|
Token type is authorization_code. |
RevokeTokenResponse
This type has no fields.
Response message for RevokeToken. Empty for now.
StartMfaEnrollmentRequest
Sends MFA enrollment verification SMS for a user.
id_token
string
Required. User's ID token.
tenant_id
string
The ID of the Identity Platform tenant that the user enrolling MFA belongs to. If not set, the user belongs to the default Identity Platform project.
enrollment_info
. MFA information by type of 2nd factor. enrollment_info
can be only one of the following:phone_enrollment_info
Verification info to authorize sending an SMS for phone verification.
totp_enrollment_info
StartMfaTotpEnrollmentRequestInfo
Sign-in info specific to TOTP auth.
StartMfaEnrollmentResponse
StartMfaEnrollment response.
enrollment_response
. MFA start enrollment response by 2nd factor type. enrollment_response
can be only one of the following:phone_session_info
Verification info to authorize sending an SMS for phone verification.
totp_session_info
StartMfaTotpEnrollmentResponseInfo
Enrollment response info specific to TOTP auth.
StartMfaPhoneRequestInfo
App Verification info for a StartMfa request.
| Fields | |
|---|---|
phone_number
|
Required for enrollment. Phone number to be enrolled as MFA. |
ios_receipt
|
iOS only. Receipt of successful app token validation with APNS. |
ios_secret
|
iOS only. Secret delivered to iOS app via APNS. |
recaptcha_token
|
Web only. Recaptcha solution. |
auto_retrieval_info
|
Android only. Used by Google Play Services to identify the app for auto-retrieval. |
safety_net_token
|
Android only. Used to assert application identity in place of a recaptcha token. A SafetyNet Token can be generated via the SafetyNet Android Attestation API
, with the Base64 encoding of the |
play_integrity_token
|
Android only. Used to assert application identity in place of a recaptcha token (or safety net token). A Play Integrity Token can be generated via the PlayIntegrity API
with applying SHA256 to the |
captcha_response
|
The reCAPTCHA Enterprise token provided by the reCAPTCHA client-side integration. Required when reCAPTCHA enterprise is enabled. |
client_type
|
The client type, web, android or ios. Required when reCAPTCHA Enterprise is enabled. |
recaptcha_version
|
The reCAPTCHA version of the reCAPTCHA token in the captcha_response. Required when reCAPTCHA Enterprise is enabled. |
StartMfaPhoneResponseInfo
Phone Verification info for a StartMfa response.
| Fields | |
|---|---|
session_info
|
An opaque string that represents the enrollment session. |
StartMfaSignInRequest
Starts multi-factor sign-in by sending the multi-factor auth challenge.
mfa_pending_credential
string
Required. Pending credential from first factor sign-in.
mfa_enrollment_id
string
Required. MFA enrollment id from the user's list of current MFA enrollments.
tenant_id
string
The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform project.
sign_in_info
. MFA information by type of 2nd factor. sign_in_info
can be only one of the following:phone_sign_in_info
Verification info to authorize sending an SMS for phone verification.
StartMfaSignInResponse
StartMfaSignIn response.
response_info
. MultiFactor start sign-in response by 2nd factor type. response_info
can be only one of the following:phone_response_info
MultiFactor sign-in session information specific to SMS-type second factors. Along with the one-time code retrieved from the sent SMS, the contents of this session information should be passed to FinalizeMfaSignIn to complete the sign in.
StartMfaTotpEnrollmentRequestInfo
This type has no fields.
Mfa request info specific to TOTP auth for StartMfa.
StartMfaTotpEnrollmentResponseInfo
Mfa response info specific to TOTP auth for StartMfa.
| Fields | |
|---|---|
shared_secret_key
|
A base 32 encoded string that represents the shared TOTP secret. The base 32 encoding is the one specified by RFC4648#section-6 . (This is the same as the base 32 encoding from RFC3548#section-5 .) |
verification_code_length
|
The length of the verification code that needs to be generated. |
hashing_algorithm
|
The hashing algorithm used to generate the verification code. |
period_sec
|
Duration in seconds at which the verification code will change. |
session_info
|
An encoded string that represents the enrollment session. |
finalize_enrollment_time
|
The time by which the enrollment must finish. |
WithdrawMfaRequest
Withdraws MFA.
| Fields | |
|---|---|
id_token
|
Required. User's ID token. |
mfa_enrollment_id
|
Required. MFA enrollment id from a current MFA enrollment. |
tenant_id
|
The ID of the Identity Platform tenant that the user unenrolling MFA belongs to. If not set, the user belongs to the default Identity Platform project. |
WithdrawMfaResponse
Withdraws MultiFactorAuth response.
| Fields | |
|---|---|
id_token
|
ID token updated to reflect removal of the second factor. |
refresh_token
|
Refresh token updated to reflect removal of the second factor. |
