Package google.cloud.identitytoolkit.v2

Index

AccountManagementService

Account management for Identity Toolkit

FinalizeMfaEnrollment

rpc FinalizeMfaEnrollment(FinalizeMfaEnrollmentRequest) returns (FinalizeMfaEnrollmentResponse)

Finishes enrolling a second factor for the user.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.
StartMfaEnrollment

rpc StartMfaEnrollment(StartMfaEnrollmentRequest) returns (StartMfaEnrollmentResponse)

Step one of the MFA enrollment process. In SMS case, this sends an SMS verification code to the user.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.
WithdrawMfa

rpc WithdrawMfa(WithdrawMfaRequest) returns (WithdrawMfaResponse)

Revokes one second factor from the enrolled second factors for an account.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

AuthenticationService

Authentication for Identity Toolkit

FinalizeMfaSignIn

rpc FinalizeMfaSignIn(FinalizeMfaSignInRequest) returns (FinalizeMfaSignInResponse)

Verifies the MFA challenge and performs sign-in

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.
GetPasswordPolicy

rpc GetPasswordPolicy(GetPasswordPolicyRequest) returns (PasswordPolicy)

Gets password policy config set on the project or tenant.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.
GetRecaptchaConfig

rpc GetRecaptchaConfig(GetRecaptchaConfigRequest) returns (RecaptchaConfig)

Gets parameters needed for reCAPTCHA analysis.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.
RevokeToken

rpc RevokeToken(RevokeTokenRequest) returns (RevokeTokenResponse)

Revokes a user's token from an Identity Provider (IdP). This is done by manually providing an IdP credential, and the token types for revocation.

An API key is required in the request in order to identify the Google Cloud project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.
StartMfaSignIn

rpc StartMfaSignIn(StartMfaSignInRequest) returns (StartMfaSignInResponse)

Sends the MFA challenge

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

AutoRetrievalInfo

The information required to auto-retrieve an SMS.

Fields
app_signature_hash

string

The Android app's signature hash for Google Play Service's SMS Retriever API.

ClientType

The client's platform type: web, android or ios.

Enums
CLIENT_TYPE_UNSPECIFIED Client type is not specified.
CLIENT_TYPE_WEB Client type is web.
CLIENT_TYPE_ANDROID Client type is android.
CLIENT_TYPE_IOS Client type is ios.

FinalizeMfaEnrollmentRequest

Finishes enrolling a second factor for the user.

Fields
id_token

string

Required. ID token.
display_name

string

Display name which is entered by users to distinguish between different second factors with same type or different type.
tenant_id

string

The ID of the Identity Platform tenant that the user enrolling MFA belongs to. If not set, the user belongs to the default Identity Platform project.
Union field verification_info. MFA enrollment information to be verified. verification_info can be only one of the following:
phone_verification_info

FinalizeMfaPhoneRequestInfo

Verification info to authorize sending an SMS for phone verification.
totp_verification_info

FinalizeMfaTotpEnrollmentRequestInfo

Verification information for TOTP.

FinalizeMfaEnrollmentResponse

FinalizeMfaEnrollment response.

Fields
id_token

string

ID token updated to reflect MFA enrollment.
refresh_token

string

Refresh token updated to reflect MFA enrollment.
Union field auxiliary_auth_info. MFA verified enrollment information. auxiliary_auth_info can be only one of the following:
phone_auth_info

FinalizeMfaPhoneResponseInfo

Auxiliary auth info specific to phone auth.
totp_auth_info

FinalizeMfaTotpEnrollmentResponseInfo

Auxiliary auth info specific to TOTP auth.

FinalizeMfaPhoneRequestInfo

Phone Verification info for a FinalizeMfa request.

Fields
session_info

string

An opaque string that represents the enrollment session.
code

string

User-entered verification code.
android_verification_proof

string

Android only. Uses for "instant" phone number verification though GmsCore.
phone_number

string

Required if Android verification proof is presented.

FinalizeMfaPhoneResponseInfo

Phone Verification info for a FinalizeMfa response.

Fields
android_verification_proof

string

Android only. Long-lived replacement for valid code tied to android device.
android_verification_proof_expire_time

Timestamp

Android only. Expiration time of verification proof in seconds.
phone_number

string

For Android verification proof.

FinalizeMfaSignInRequest

Finalizes sign-in by verifying MFA challenge.

Fields
mfa_pending_credential

string

Required. Pending credential from first factor sign-in.
tenant_id

string

The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform project.
mfa_enrollment_id

string

The MFA enrollment ID from the user's list of current MFA enrollments.
Union field verification_info. Proof of completion of the MFA challenge. verification_info can be only one of the following:
phone_verification_info

FinalizeMfaPhoneRequestInfo

Proof of completion of the SMS based MFA challenge.
totp_verification_info

MfaTotpSignInRequestInfo

Proof of completion of the TOTP based MFA challenge.

FinalizeMfaSignInResponse

FinalizeMfaSignIn response.

Fields
id_token

string

ID token for the authenticated user.
refresh_token

string

Refresh token for the authenticated user.
Union field auxiliary_auth_info. MFA verified sign-in information. auxiliary_auth_info can be only one of the following:
phone_auth_info

FinalizeMfaPhoneResponseInfo

Extra phone auth info, including android verification proof.

FinalizeMfaTotpEnrollmentRequestInfo

Mfa request info specific to TOTP auth for FinalizeMfa.

Fields
session_info

string

An opaque string that represents the enrollment session.
verification_code

string

User-entered verification code.

FinalizeMfaTotpEnrollmentResponseInfo

This type has no fields.

Mfa response info specific to TOTP auth for FinalizeMfa.

GetPasswordPolicyRequest

The request for GetPasswordPolicy.

Fields
tenant_id

string

The id of a tenant.

GetRecaptchaConfigRequest

The request for GetRecaptchaConfig.

Fields
tenant_id

string

The id of a tenant.
client_type

ClientType

reCAPTCHA Enterprise uses separate site keys for different client types. Specify the client type to get the corresponding key.
version

RecaptchaVersion

The reCAPTCHA version.

MfaTotpSignInRequestInfo

TOTP verification info for FinalizeMfaSignInRequest.

Fields
verification_code

string

User-entered verification code.

PasswordPolicy

Configuration for password policy.

Fields
custom_strength_options

CustomStrengthOptions

The custom strength options enforced by the password policy.
schema_version

int32

Output only. schema version number for the password policy
allowed_non_alphanumeric_characters[]

string

Output only. Allowed characters which satisfy the non_alphanumeric requirement.
enforcement_state

EnforcementState

Output only. Which enforcement mode to use for the password policy.
force_upgrade_on_signin

bool

Users must have a password compliant with the password policy to sign-in.

CustomStrengthOptions

Custom strength options to enforce on user passwords.

Fields
min_password_length

int32

Minimum password length. Range from 6 to 30
max_password_length

int32

Maximum password length. No default max length
contains_lowercase_character

bool

The password must contain a lower case character.
contains_uppercase_character

bool

The password must contain an upper case character.
contains_numeric_character

bool

The password must contain a number.
contains_non_alphanumeric_character

bool

The password must contain a non alpha numeric character.

EnforcementState

Enforcement state for the password policy

Enums
ENFORCEMENT_STATE_UNSPECIFIED Enforcement state has not been set.
OFF Password Policy will not be used on the project.
ENFORCE Passwords non-compliant with the password policy will be rejected with an error thrown.

RecaptchaConfig

Configuration for reCAPTCHA

Fields
recaptcha_enforcement_state[]

RecaptchaEnforcementState

The reCAPTCHA enforcement state for the providers that GCIP supports reCAPTCHA protection.
recaptcha_key

string

The reCAPTCHA Enterprise key resource name, e.g. "projects/{project}/keys/{key}". This will only be returned when the reCAPTCHA enforcement state is AUDIT or ENFORCE on at least one of the reCAPTCHA providers.
use_sms_bot_score

bool

Whether to use the rCE bot score for reCAPTCHA phone provider.
use_sms_toll_fraud_protection

bool

Whether to use the rCE sms toll fraud protection risk score for reCAPTCHA phone provider.

RecaptchaEnforcementState

Enforcement states for reCAPTCHA protection.

Fields
provider

RecaptchaProvider

The provider that has reCAPTCHA protection.
enforcement_state

EnforcementState

The reCAPTCHA enforcement state for the provider.

EnforcementState

Enforcement states for reCAPTCHA protection per provider.

Enums
ENFORCEMENT_STATE_UNSPECIFIED Enforcement state has not been set.
OFF Unenforced.
AUDIT reCAPTCHA assessment is created, result is not used to enforce.
ENFORCE reCAPTCHA assessment is created, result is used to enforce.

RecaptchaProvider

The GCIP providers that support reCAPTCHA protection.

Enums
RECAPTCHA_PROVIDER_UNSPECIFIED reCAPTCHA provider not specified
EMAIL_PASSWORD_PROVIDER Email password provider
PHONE_PROVIDER Phone auth provider

RecaptchaVersion

The reCAPTCHA version.

Enums
RECAPTCHA_VERSION_UNSPECIFIED The reCAPTCHA version is not specified.
RECAPTCHA_ENTERPRISE The reCAPTCHA enterprise.

RevokeTokenRequest

Request message for RevokeToken.

Fields
provider_id

string

Required. The idp provider for the token. Currently only supports Apple Idp. The format should be "apple.com".
token_type

TokenType

Required. The type of the token to be revoked.
token

string

Required. The token to be revoked. If an authorization_code is passed in, the API will first exchange the code for access token and then revoke the token exchanged.
id_token

string

Required. A valid Identity Platform ID token to link the account. If there was a successful token revocation request on the account and no tokens are generated after the revocation, the duplicate requests will be ignored and returned immediately.
tenant_id

string

The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform project.
redirect_uri

string

The redirect URI provided in the initial authorization request made by the client to the IDP. The URI must use the HTTPS protocol, include a domain name, and can't contain an IP address or localhost. Required if token_type is CODE.

TokenType

The type of the token to be revoked.

Enums
TOKEN_TYPE_UNSPECIFIED Default value, do not use.
REFRESH_TOKEN Token type is refresh_token.
ACCESS_TOKEN Token type is access_token.
CODE Token type is authorization_code.

RevokeTokenResponse

This type has no fields.

Response message for RevokeToken. Empty for now.

StartMfaEnrollmentRequest

Sends MFA enrollment verification SMS for a user.

Fields
id_token

string

Required. User's ID token.
tenant_id

string

The ID of the Identity Platform tenant that the user enrolling MFA belongs to. If not set, the user belongs to the default Identity Platform project.
Union field enrollment_info. MFA information by type of 2nd factor. enrollment_info can be only one of the following:
phone_enrollment_info

StartMfaPhoneRequestInfo

Verification info to authorize sending an SMS for phone verification.
totp_enrollment_info

StartMfaTotpEnrollmentRequestInfo

Sign-in info specific to TOTP auth.

StartMfaEnrollmentResponse

StartMfaEnrollment response.

Fields
Union field enrollment_response. MFA start enrollment response by 2nd factor type. enrollment_response can be only one of the following:
phone_session_info

StartMfaPhoneResponseInfo

Verification info to authorize sending an SMS for phone verification.
totp_session_info

StartMfaTotpEnrollmentResponseInfo

Enrollment response info specific to TOTP auth.

StartMfaPhoneRequestInfo

App Verification info for a StartMfa request.

Fields
phone_number

string

Required for enrollment. Phone number to be enrolled as MFA.
ios_receipt

string

iOS only. Receipt of successful app token validation with APNS.
ios_secret

string

iOS only. Secret delivered to iOS app via APNS.
recaptcha_token

string

Web only. Recaptcha solution.
auto_retrieval_info

AutoRetrievalInfo

Android only. Used by Google Play Services to identify the app for auto-retrieval.
safety_net_token

string

Android only. Used to assert application identity in place of a recaptcha token. A SafetyNet Token can be generated via the SafetyNet Android Attestation API, with the Base64 encoding of the phone_number field as the nonce.
play_integrity_token

string

Android only. Used to assert application identity in place of a recaptcha token (or safety net token). A Play Integrity Token can be generated via the PlayIntegrity API with applying SHA256 to the phone_number field as the nonce.
captcha_response

string

The reCAPTCHA Enterprise token provided by the reCAPTCHA client-side integration. Required when reCAPTCHA enterprise is enabled.
client_type

ClientType

The client type, web, android or ios. Required when reCAPTCHA Enterprise is enabled.
recaptcha_version

RecaptchaVersion

The reCAPTCHA version of the reCAPTCHA token in the captcha_response. Required when reCAPTCHA Enterprise is enabled.

StartMfaPhoneResponseInfo

Phone Verification info for a StartMfa response.

Fields
session_info

string

An opaque string that represents the enrollment session.

StartMfaSignInRequest

Starts multi-factor sign-in by sending the multi-factor auth challenge.

Fields
mfa_pending_credential

string

Required. Pending credential from first factor sign-in.
mfa_enrollment_id

string

Required. MFA enrollment id from the user's list of current MFA enrollments.
tenant_id

string

The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform project.
Union field sign_in_info. MFA information by type of 2nd factor. sign_in_info can be only one of the following:
phone_sign_in_info

StartMfaPhoneRequestInfo

Verification info to authorize sending an SMS for phone verification.

StartMfaSignInResponse

StartMfaSignIn response.

Fields
Union field response_info. MultiFactor start sign-in response by 2nd factor type. response_info can be only one of the following:
phone_response_info

StartMfaPhoneResponseInfo

MultiFactor sign-in session information specific to SMS-type second factors. Along with the one-time code retrieved from the sent SMS, the contents of this session information should be passed to FinalizeMfaSignIn to complete the sign in.

StartMfaTotpEnrollmentRequestInfo

This type has no fields.

Mfa request info specific to TOTP auth for StartMfa.

StartMfaTotpEnrollmentResponseInfo

Mfa response info specific to TOTP auth for StartMfa.

Fields
shared_secret_key

string

A base 32 encoded string that represents the shared TOTP secret.

The base 32 encoding is the one specified by RFC4648#section-6. (This is the same as the base 32 encoding from RFC3548#section-5.)
verification_code_length

int32

The length of the verification code that needs to be generated.
hashing_algorithm

string

The hashing algorithm used to generate the verification code.
period_sec

int32

Duration in seconds at which the verification code will change.
session_info

string

An encoded string that represents the enrollment session.
finalize_enrollment_time

Timestamp

The time by which the enrollment must finish.

WithdrawMfaRequest

Withdraws MFA.

Fields
id_token

string

Required. User's ID token.
mfa_enrollment_id

string

Required. MFA enrollment id from a current MFA enrollment.
tenant_id

string

The ID of the Identity Platform tenant that the user unenrolling MFA belongs to. If not set, the user belongs to the default Identity Platform project.

WithdrawMfaResponse

Withdraws MultiFactorAuth response.

Fields
id_token

string

ID token updated to reflect removal of the second factor.
refresh_token

string

Refresh token updated to reflect removal of the second factor.