Tenant-aware Auth
interface used for managing users, configuring SAML/OIDC providers, generating email links for password reset, email verification, etc for specific tenants.
Multi-tenancy support requires Google Cloud's Identity Platform (GCIP). To learn more about GCIP, including pricing and features, see the GCIP documentation.
Each tenant contains its own identity providers, settings and sets of users. Using TenantAwareAuth
, users for a specific tenant and corresponding OIDC/SAML configurations can also be managed, ID tokens for users signed in to a specific tenant can be verified, and email action links can also be generated for users belonging to the tenant.
TenantAwareAuth
instances for a specific tenantId
can be instantiated by calling TenantManager.authForTenant().
Signature:
export declare class TenantAwareAuth extends BaseAuth
Extends: BaseAuth
Properties
Property | Modifiers | Type | Description |
---|---|---|---|
tenantId | string | The tenant identifier corresponding to this TenantAwareAuth instance. All calls to the user management APIs, OIDC/SAML provider management APIs, email link generation APIs, etc will only be applied within the scope of this tenant. |
Methods
Method | Modifiers | Description |
---|---|---|
createSessionCookie(idToken, sessionCookieOptions) | Creates a new Firebase session cookie with the specified options. The created JWT string can be set as a server-side session cookie with a custom cookie policy, and be used for session management. The session cookie JWT will have the same payload claims as the provided ID token.See Manage Session Cookies for code samples and detailed documentation. | |
verifyIdToken(idToken, checkRevoked) | Verifies a Firebase ID token (JWT). If the token is valid, the promise is fulfilled with the token's decoded claims; otherwise, the promise is rejected.If checkRevoked is set to true, first verifies whether the corresponding user is disabled. If yes, an auth/user-disabled error is thrown. If no, verifies if the session corresponding to the ID token was revoked. If the corresponding user's session was invalidated, an auth/id-token-revoked error is thrown. If not specified the check is not applied.See Verify ID Tokens for code samples and detailed documentation. |
|
verifySessionCookie(sessionCookie, checkRevoked) | Verifies a Firebase session cookie. Returns a Promise with the cookie claims. Rejects the promise if the cookie could not be verified.If checkRevoked is set to true, first verifies whether the corresponding user is disabled: If yes, an auth/user-disabled error is thrown. If no, verifies if the session corresponding to the session cookie was revoked. If the corresponding user's session was invalidated, an auth/session-cookie-revoked error is thrown. If not specified the check is not performed.See Verify Session Cookies for code samples and detailed documentation |
TenantAwareAuth.tenantId
The tenant identifier corresponding to this TenantAwareAuth
instance. All calls to the user management APIs, OIDC/SAML provider management APIs, email link generation APIs, etc will only be applied within the scope of this tenant.
Signature:
readonly tenantId: string;
TenantAwareAuth.createSessionCookie()
Creates a new Firebase session cookie with the specified options. The created JWT string can be set as a server-side session cookie with a custom cookie policy, and be used for session management. The session cookie JWT will have the same payload claims as the provided ID token.
See Manage Session Cookies for code samples and detailed documentation.
Signature:
createSessionCookie(idToken: string, sessionCookieOptions: SessionCookieOptions): Promise<string>;
Parameters
Parameter | Type | Description |
---|---|---|
idToken | string | The Firebase ID token to exchange for a session cookie. |
sessionCookieOptions | SessionCookieOptions | The session cookie options which includes custom session duration. |
Returns:
Promise<string>
A promise that resolves on success with the created session cookie.
TenantAwareAuth.verifyIdToken()
Verifies a Firebase ID token (JWT). If the token is valid, the promise is fulfilled with the token's decoded claims; otherwise, the promise is rejected.
If checkRevoked
is set to true, first verifies whether the corresponding user is disabled. If yes, an auth/user-disabled
error is thrown. If no, verifies if the session corresponding to the ID token was revoked. If the corresponding user's session was invalidated, an auth/id-token-revoked
error is thrown. If not specified the check is not applied.
See Verify ID Tokens for code samples and detailed documentation.
Signature:
verifyIdToken(idToken: string, checkRevoked?: boolean): Promise<DecodedIdToken>;
Parameters
Parameter | Type | Description |
---|---|---|
idToken | string | The ID token to verify. |
checkRevoked | boolean | Whether to check if the ID token was revoked. This requires an extra request to the Firebase Auth backend to check the tokensValidAfterTime time for the corresponding user. When not specified, this additional check is not applied. |
Returns:
Promise<DecodedIdToken>
A promise fulfilled with the token's decoded claims if the ID token is valid; otherwise, a rejected promise.
TenantAwareAuth.verifySessionCookie()
Verifies a Firebase session cookie. Returns a Promise with the cookie claims. Rejects the promise if the cookie could not be verified.
If checkRevoked
is set to true, first verifies whether the corresponding user is disabled: If yes, an auth/user-disabled
error is thrown. If no, verifies if the session corresponding to the session cookie was revoked. If the corresponding user's session was invalidated, an auth/session-cookie-revoked
error is thrown. If not specified the check is not performed.
See Verify Session Cookies for code samples and detailed documentation
Signature:
verifySessionCookie(sessionCookie: string, checkRevoked?: boolean): Promise<DecodedIdToken>;
Parameters
Parameter | Type | Description |
---|---|---|
sessionCookie | string | The session cookie to verify. |
checkRevoked | boolean |
Returns:
Promise<DecodedIdToken>
A promise fulfilled with the session cookie's decoded claims if the session cookie is valid; otherwise, a rejected promise.