TenantAwareAuth class

Tenant-aware Auth interface used for managing users, configuring SAML/OIDC providers, generating email links for password reset, email verification, etc for specific tenants.

Multi-tenancy support requires Google Cloud's Identity Platform (GCIP). To learn more about GCIP, including pricing and features, see the GCIP documentation.

Each tenant contains its own identity providers, settings and sets of users. Using TenantAwareAuth, users for a specific tenant and corresponding OIDC/SAML configurations can also be managed, ID tokens for users signed in to a specific tenant can be verified, and email action links can also be generated for users belonging to the tenant.

TenantAwareAuth instances for a specific tenantId can be instantiated by calling TenantManager.authForTenant.

Properties

app FirebaseApp
finalinherited
hashCode int
The hash code for this object.
no setterinherited
runtimeType Type
A representation of the runtime type of the object.
no setterinherited
tenantId String
The tenant identifier corresponding to this TenantAwareAuth instance. All calls to the user management APIs, OIDC/SAML provider management APIs, email link generation APIs, etc will only be applied within the scope of this tenant.
final

Methods

createCustomToken(String uid, {Map<String, Object?>? developerClaims}) Future<String>
Creates a new Firebase custom token (JWT) that can be sent back to a client device to use to sign in with the client SDKs' signInWithCustomToken() methods. (Tenant-aware instances will also embed the tenant ID in the token.)
inherited
createProviderConfig(AuthProviderConfig config) Future<AuthProviderConfig>
Returns a Future that completes with the newly created AuthProviderConfig when the new provider configuration is created.
inherited
createSessionCookie(String idToken, SessionCookieOptions sessionCookieOptions) Future<String>
Creates a new Firebase session cookie with the specified options that can be used for session management (set as a server side session cookie with custom cookie policy). The session cookie JWT will have the same payload claims as the provided ID token.
createUser(CreateRequest properties) Future<UserRecord>
Creates a new user.
inherited
deleteProviderConfig(String providerId) Future<void>
Deletes the provider configuration corresponding to the provider ID passed. If the specified ID does not exist, an auth/configuration-not-found error is thrown.
inherited
deleteUser(String uid) Future<void>
Deletes an existing user.
inherited
deleteUsers(List<String> uids) Future<DeleteUsersResult>
Deletes the users specified by the given uids.
inherited
Generates the out of band email action link to verify the user's ownership of the specified email. The ActionCodeSettings object provided as an argument to this method defines whether the link is to be handled by a mobile app or browser along with additional state information to be passed in the deep link, etc.
inherited
Generates the out of band email action link to reset a user's password. The link is generated for the user with the specified email address. The optional ActionCodeSettings object defines whether the link is to be handled by a mobile app or browser and the additional state information to be passed in the deep link, etc.
inherited
Generates the out of band email action link to verify the user's ownership of the specified email. The ActionCodeSettings object provided as an argument to this method defines whether the link is to be handled by a mobile app or browser along with additional state information to be passed in the deep link, etc.
inherited
Generates an out-of-band email action link to verify the user's ownership of the specified email. The ActionCodeSettings object provided as an argument to this method defines whether the link is to be handled by a mobile app or browser along with additional state information to be passed in the deep link, etc.
inherited
getProviderConfig(String providerId) Future<AuthProviderConfig>
Looks up an Auth provider configuration by the provided ID. Returns a Future that completes with the provider configuration corresponding to the provider ID specified. If the specified ID does not exist, an auth/configuration-not-found error is thrown.
inherited
getUser(String uid) Future<UserRecord>
Gets the user data for the user corresponding to a given uid.
inherited
getUserByEmail(String email) Future<UserRecord>
Gets the user data for the user corresponding to a given email.
inherited
getUserByPhoneNumber(String phoneNumber) Future<UserRecord>
Gets the user data for the user corresponding to a given phone number. The phone number has to conform to the E.164 specification.
inherited
getUserByProviderUid({required String providerId, required String uid}) Future<UserRecord>
Gets the user data for the user corresponding to a given provider id.
inherited
getUsers(List<UserIdentifier> identifiers) Future<GetUsersResult>
Gets the user data corresponding to the specified identifiers.
inherited
importUsers(List<UserImportRecord> users, [UserImportOptions? options]) Future<UserImportResult>
Imports the provided list of users into Firebase Auth. A maximum of 1000 users are allowed to be imported one at a time. When importing users with passwords, UserImportOptions are required to be specified. This operation is optimized for bulk imports and will ignore checks on uid, email and other identifier uniqueness which could result in duplications.
inherited
listProviderConfigs(AuthProviderConfigFilter options) Future<ListProviderConfigResults>
Returns the list of existing provider configurations matching the filter provided. At most, 100 provider configs can be listed at a time.
inherited
listUsers({int? maxResults, String? pageToken}) Future<ListUsersResult>
Retrieves a list of users (single batch only) with a size of maxResults starting from the offset as specified by pageToken. This is used to retrieve all the users of a specified project in batches.
inherited
noSuchMethod(Invocation invocation) → dynamic
Invoked when a nonexistent method or property is accessed.
inherited
revokeRefreshTokens(String uid) Future<void>
Revokes all refresh tokens for an existing user.
inherited
setCustomUserClaims(String uid, {Map<String, Object?>? customUserClaims}) Future<void>
Sets additional developer claims on an existing user identified by the provided uid, typically used to define user roles and levels of access. These claims should propagate to all devices where the user is already signed in (after token expiration or when token refresh is forced) and the next time the user signs in. If a reserved OIDC claim name is used (sub, iat, iss, etc), an error is thrown. They are set on the authenticated user's ID token JWT.
inherited
toString() String
A string representation of this object.
inherited
updateProviderConfig(String providerId, UpdateAuthProviderRequest updatedConfig) Future<AuthProviderConfig>
Returns a Future that completes with the updated AuthProviderConfig corresponding to the provider ID specified. If the specified ID does not exist, an auth/configuration-not-found error is thrown.
inherited
updateUser(String uid, UpdateRequest properties) Future<UserRecord>
Updates an existing user.
inherited
verifyIdToken(String idToken, {bool checkRevoked = false}) Future<DecodedIdToken>
Verifies a Firebase ID token (JWT). If the token is valid and its tenant_id claim matches this tenant's ID, the returned Future is completed with the token's decoded claims; otherwise, the Future is rejected with an error.
verifySessionCookie(String sessionCookie, {bool checkRevoked = false}) Future<DecodedIdToken>
Verifies a Firebase session cookie. Returns a Future with the session cookie's decoded claims if the session cookie is valid and its tenant_id claim matches this tenant's ID; otherwise, a rejected Future.

Operators

operator ==(Object other) bool
The equality operator.
inherited