TenantAwareAuth class

Tenant-aware Auth interface used for managing users, configuring SAML/OIDC providers, generating email links for password reset, email verification, etc for specific tenants.

Multi-tenancy support requires Google Cloud's Identity Platform (GCIP). To learn more about GCIP, including pricing and features, see the GCIP documentation.

Each tenant contains its own identity providers, settings and sets of users. Using TenantAwareAuth, users for a specific tenant and corresponding OIDC/SAML configurations can also be managed, ID tokens for users signed in to a specific tenant can be verified, and email action links can also be generated for users belonging to the tenant.

TenantAwareAuth instances for a specific tenantId can be instantiated by calling TenantManager.authForTenant().

Signature:

export declare class TenantAwareAuth extends BaseAuth 

Extends: BaseAuth

Properties

Property Modifiers Type Description
tenantId string The tenant identifier corresponding to this TenantAwareAuth instance. All calls to the user management APIs, OIDC/SAML provider management APIs, email link generation APIs, etc will only be applied within the scope of this tenant.

Methods

Method Modifiers Description
createSessionCookie(idToken, sessionCookieOptions) Creates a new Firebase session cookie with the specified options. The created JWT string can be set as a server-side session cookie with a custom cookie policy, and be used for session management. The session cookie JWT will have the same payload claims as the provided ID token.See Manage Session Cookies for code samples and detailed documentation.
verifyIdToken(idToken, checkRevoked) Verifies a Firebase ID token (JWT). If the token is valid, the promise is fulfilled with the token's decoded claims; otherwise, the promise is rejected.If checkRevoked is set to true, first verifies whether the corresponding user is disabled. If yes, an auth/user-disabled error is thrown. If no, verifies if the session corresponding to the ID token was revoked. If the corresponding user's session was invalidated, an auth/id-token-revoked error is thrown. If not specified the check is not applied.See Verify ID Tokens for code samples and detailed documentation.
verifySessionCookie(sessionCookie, checkRevoked) Verifies a Firebase session cookie. Returns a Promise with the cookie claims. Rejects the promise if the cookie could not be verified.If checkRevoked is set to true, first verifies whether the corresponding user is disabled: If yes, an auth/user-disabled error is thrown. If no, verifies if the session corresponding to the session cookie was revoked. If the corresponding user's session was invalidated, an auth/session-cookie-revoked error is thrown. If not specified the check is not performed.See Verify Session Cookies for code samples and detailed documentation

TenantAwareAuth.tenantId

The tenant identifier corresponding to this TenantAwareAuth instance. All calls to the user management APIs, OIDC/SAML provider management APIs, email link generation APIs, etc will only be applied within the scope of this tenant.

Signature:

readonly tenantId: string;

TenantAwareAuth.createSessionCookie()

Creates a new Firebase session cookie with the specified options. The created JWT string can be set as a server-side session cookie with a custom cookie policy, and be used for session management. The session cookie JWT will have the same payload claims as the provided ID token.

See Manage Session Cookies for code samples and detailed documentation.

Signature:

createSessionCookie(idToken: string, sessionCookieOptions: SessionCookieOptions): Promise<string>;

Parameters

Parameter Type Description
idToken string The Firebase ID token to exchange for a session cookie.
sessionCookieOptions SessionCookieOptions The session cookie options which includes custom session duration.

Returns:

Promise<string>

A promise that resolves on success with the created session cookie.

TenantAwareAuth.verifyIdToken()

Verifies a Firebase ID token (JWT). If the token is valid, the promise is fulfilled with the token's decoded claims; otherwise, the promise is rejected.

If checkRevoked is set to true, first verifies whether the corresponding user is disabled. If yes, an auth/user-disabled error is thrown. If no, verifies if the session corresponding to the ID token was revoked. If the corresponding user's session was invalidated, an auth/id-token-revoked error is thrown. If not specified the check is not applied.

See Verify ID Tokens for code samples and detailed documentation.

Signature:

verifyIdToken(idToken: string, checkRevoked?: boolean): Promise<DecodedIdToken>;

Parameters

Parameter Type Description
idToken string The ID token to verify.
checkRevoked boolean Whether to check if the ID token was revoked. This requires an extra request to the Firebase Auth backend to check the tokensValidAfterTime time for the corresponding user. When not specified, this additional check is not applied.

Returns:

Promise<DecodedIdToken>

A promise fulfilled with the token's decoded claims if the ID token is valid; otherwise, a rejected promise.

TenantAwareAuth.verifySessionCookie()

Verifies a Firebase session cookie. Returns a Promise with the cookie claims. Rejects the promise if the cookie could not be verified.

If checkRevoked is set to true, first verifies whether the corresponding user is disabled: If yes, an auth/user-disabled error is thrown. If no, verifies if the session corresponding to the session cookie was revoked. If the corresponding user's session was invalidated, an auth/session-cookie-revoked error is thrown. If not specified the check is not performed.

See Verify Session Cookies for code samples and detailed documentation

Signature:

verifySessionCookie(sessionCookie: string, checkRevoked?: boolean): Promise<DecodedIdToken>;

Parameters

Parameter Type Description
sessionCookie string The session cookie to verify.
checkRevoked boolean

Returns:

Promise<DecodedIdToken>

A promise fulfilled with the session cookie's decoded claims if the session cookie is valid; otherwise, a rejected promise.