batchCreate(targetProjectId, tenantId, body=None, x__xgafv=None)
Uploads multiple accounts into the Google Cloud project. If there is a problem uploading one or more of the accounts, the rest will be uploaded, and a list of the errors will be returned. To use this method requires a Google OAuth 2.0 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).
batchDelete(targetProjectId, tenantId, body=None, x__xgafv=None)
Batch deletes multiple accounts. For accounts that fail to be deleted, error info is contained in the response. The method ignores accounts that do not exist or are duplicated in the request. This method requires a Google OAuth 2.0 credential with proper [permissions] (https://cloud.google.com/identity-platform/docs/access-control).
Download account information for all accounts on the project in a paginated manner. To use this method requires a Google OAuth 2.0 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).. Furthermore, additional permissions are needed to get password hash, password salt, and password version from accounts; otherwise these fields are redacted.
Retrieves the next page of results.
Close httplib2 connections.
delete(targetProjectId, tenantId, body=None, x__xgafv=None)
Deletes a user's account.
lookup(targetProjectId, tenantId, body=None, x__xgafv=None)
Gets account information for all matched accounts. For an end user request, retrieves the account of the end user. For an admin request with Google OAuth 2.0 credential, retrieves one or multiple account(s) with matching criteria.
query(targetProjectId, tenantId, body=None, x__xgafv=None)
Looks up user accounts within a project or a tenant based on conditions in the request.
sendOobCode(targetProjectId, tenantId, body=None, x__xgafv=None)
Sends an out-of-band confirmation code for an account. Requests from a authenticated request can optionally return a link including the OOB code instead of sending it.
update(targetProjectId, tenantId, body=None, x__xgafv=None)
Updates account-related information for the specified user by setting specific fields or applying action codes. Requests from administrators and end users are supported.
batchCreate(targetProjectId, tenantId, body=None, x__xgafv=None)
Uploads multiple accounts into the Google Cloud project. If there is a problem uploading one or more of the accounts, the rest will be uploaded, and a list of the errors will be returned. To use this method requires a Google OAuth 2.0 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).
Args:
targetProjectId: string, The Project ID of the Identity Platform project which the account belongs to. (required)
tenantId: string, The ID of the Identity Platform tenant the account belongs to. (required)
body: object, The request body.
The object takes the form of:
{ # Request message for UploadAccount.
"allowOverwrite": True or False, # Whether to overwrite an existing account in Identity Platform with a matching `local_id` in the request. If true, the existing account will be overwritten. If false, an error will be returned.
"argon2Parameters": { # The parameters for Argon2 hashing algorithm. # The parameters for Argon2 hashing algorithm.
"associatedData": "A String", # The additional associated data, if provided, is appended to the hash value to provide an additional layer of security. A base64-encoded string if specified via JSON.
"hashLengthBytes": 42, # Required. The desired hash length in bytes. Minimum is 4 and maximum is 1024.
"hashType": "A String", # Required. Must not be HASH_TYPE_UNSPECIFIED.
"iterations": 42, # Required. The number of iterations to perform. Minimum is 1, maximum is 16.
"memoryCostKib": 42, # Required. The memory cost in kibibytes. Maximum is 32768.
"parallelism": 42, # Required. The degree of parallelism, also called threads or lanes. Minimum is 1, maximum is 16.
"version": "A String", # The version of the Argon2 algorithm. This defaults to VERSION_13 if not specified.
},
"blockSize": 42, # The block size parameter used by the STANDARD_SCRYPT hashing function. This parameter, along with parallelization and cpu_mem_cost help tune the resources needed to hash a password, and should be tuned as processor speeds and memory technologies advance.
"cpuMemCost": 42, # The CPU memory cost parameter to be used by the STANDARD_SCRYPT hashing function. This parameter, along with block_size and cpu_mem_cost help tune the resources needed to hash a password, and should be tuned as processor speeds and memory technologies advance.
"delegatedProjectNumber": "A String",
"dkLen": 42, # The desired key length for the STANDARD_SCRYPT hashing function. Must be at least 1.
"hashAlgorithm": "A String", # Required. The hashing function used to hash the account passwords. Must be one of the following: * HMAC_SHA256 * HMAC_SHA1 * HMAC_MD5 * SCRYPT * PBKDF_SHA1 * MD5 * HMAC_SHA512 * SHA1 * BCRYPT * PBKDF2_SHA256 * SHA256 * SHA512 * STANDARD_SCRYPT * ARGON2
"memoryCost": 42, # Memory cost for hash calculation. Only required when the hashing function is SCRYPT.
"parallelization": 42, # The parallelization cost parameter to be used by the STANDARD_SCRYPT hashing function. This parameter, along with block_size and cpu_mem_cost help tune the resources needed to hash a password, and should be tuned as processor speeds and memory technologies advance.
"passwordHashOrder": "A String", # Password and salt order when verify password.
"rounds": 42, # The number of rounds used for hash calculation. Only required for the following hashing functions: * MD5 * SHA1 * SHA256 * SHA512 * PBKDF_SHA1 * PBKDF2_SHA256 * SCRYPT
"saltSeparator": "A String", # One or more bytes to be inserted between the salt and plain text password. For stronger security, this should be a single non-printable character.
"sanityCheck": True or False, # If true, the service will do the following list of checks before an account is uploaded: * Duplicate emails * Duplicate federated IDs * Federated ID provider validation If the duplication exists within the list of accounts to be uploaded, it will prevent the entire list from being uploaded. If the email or federated ID is a duplicate of a user already within the project/tenant, the account will not be uploaded, but the rest of the accounts will be unaffected. If false, these checks will be skipped.
"signerKey": "A String", # The signer key used to hash the password. Required for the following hashing functions: * SCRYPT, * HMAC_MD5, * HMAC_SHA1, * HMAC_SHA256, * HMAC_SHA512
"tenantId": "A String", # The ID of the Identity Platform tenant the account belongs to.
"users": [ # A list of accounts to upload. `local_id` is required for each user; everything else is optional.
{ # An Identity Platform account's information.
"createdAt": "A String", # The time, in milliseconds from epoch, when the account was created.
"customAttributes": "A String", # Custom claims to be added to any ID tokens minted for the account. Should be at most 1,000 characters in length and in valid JSON format.
"customAuth": True or False, # Output only. Whether this account has been authenticated using SignInWithCustomToken.
"dateOfBirth": "A String", # Output only. The date of birth set for the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"disabled": True or False, # Whether the account is disabled. Disabled accounts are inaccessible except for requests bearing a Google OAuth2 credential with proper permissions.
"displayName": "A String", # The display name of the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"email": "A String", # The account's email address. The length of the email should be less than 256 characters and in the format of `name@domain.tld`. The email should also match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec.
"emailLinkSignin": True or False, # Output only. Whether the account can authenticate with email link.
"emailVerified": True or False, # Whether the account's email address has been verified.
"initialEmail": "A String", # The first email address associated with this account. The account's initial email cannot be changed once set and is used to recover access to this account if lost via the RECOVER_EMAIL flow in GetOobCode. Should match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec.
"language": "A String", # Output only. The language preference of the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"lastLoginAt": "A String", # The last time, in milliseconds from epoch, this account was logged into.
"lastRefreshAt": "A String", # Timestamp when an ID token was last minted for this account.
"localId": "A String", # Immutable. The unique ID of the account.
"mfaInfo": [ # Information on which multi-factor authentication providers are enabled for this account.
{ # Information on which multi-factor authentication (MFA) providers are enabled for an account.
"displayName": "A String", # Display name for this mfa option e.g. "corp cell phone".
"emailInfo": { # Information about email MFA. # Contains information specific to email MFA.
"emailAddress": "A String", # Email address that a MFA verification should be sent to.
},
"enrolledAt": "A String", # Timestamp when the account enrolled this second factor.
"mfaEnrollmentId": "A String", # ID of this MFA option.
"phoneInfo": "A String", # Normally this will show the phone number associated with this enrollment. In some situations, such as after a first factor sign in, it will only show the obfuscated version of the associated phone number.
"totpInfo": { # Information about TOTP MFA. # Contains information specific to TOTP MFA.
},
"unobfuscatedPhoneInfo": "A String", # Output only. Unobfuscated phone_info.
},
],
"passwordHash": "A String", # The account's hashed password. Only accessible by requests bearing a Google OAuth2 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).
"passwordUpdatedAt": 3.14, # The timestamp, in milliseconds from the epoch of 1970-01-01T00:00:00Z, when the account's password was last updated.
"phoneNumber": "A String", # The account's phone number.
"photoUrl": "A String", # The URL of the account's profile photo. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"providerUserInfo": [ # Information about the user as provided by various Identity Providers.
{ # Information about the user as provided by various Identity Providers.
"displayName": "A String", # The user's display name at the Identity Provider.
"email": "A String", # The user's email address at the Identity Provider.
"federatedId": "A String", # The user's identifier at the Identity Provider.
"phoneNumber": "A String", # The user's phone number at the Identity Provider.
"photoUrl": "A String", # The user's profile photo URL at the Identity Provider.
"providerId": "A String", # The ID of the Identity Provider.
"rawId": "A String", # The user's raw identifier directly returned from Identity Provider.
"screenName": "A String", # The user's screen_name at Twitter or login name at GitHub.
},
],
"rawPassword": "A String", # Input only. Plain text password used to update a account's password. This field is only ever used as input in a request. Identity Platform uses cryptographically secure hashing when managing passwords and will never store or transmit a user's password in plain text.
"salt": "A String", # The account's password salt. Only accessible by requests bearing a Google OAuth2 credential with proper permissions.
"screenName": "A String", # Output only. This account's screen name at Twitter or login name at GitHub.
"tenantId": "A String", # ID of the tenant this account belongs to. Only set if this account belongs to a tenant.
"timeZone": "A String", # Output only. The time zone preference of the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"validSince": "A String", # Oldest timestamp, in seconds since epoch, that an ID token should be considered valid. All ID tokens issued before this time are considered invalid.
"version": 42, # The version of the account's password. Only accessible by requests bearing a Google OAuth2 credential with proper permissions.
},
],
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for UploadAccount.
"error": [ # Detailed error info for accounts that cannot be uploaded.
{ # Error information explaining why an account cannot be uploaded. batch upload.
"index": 42, # The index of the item, range is [0, request.size - 1]
"message": "A String", # Detailed error message
},
],
"kind": "A String",
}
batchDelete(targetProjectId, tenantId, body=None, x__xgafv=None)
Batch deletes multiple accounts. For accounts that fail to be deleted, error info is contained in the response. The method ignores accounts that do not exist or are duplicated in the request. This method requires a Google OAuth 2.0 credential with proper [permissions] (https://cloud.google.com/identity-platform/docs/access-control).
Args:
targetProjectId: string, If `tenant_id` is specified, the ID of the Google Cloud project that the Identity Platform tenant belongs to. Otherwise, the ID of the Google Cloud project that accounts belong to. (required)
tenantId: string, If the accounts belong to an Identity Platform tenant, the ID of the tenant. If the accounts belong to a default Identity Platform project, the field is not needed. (required)
body: object, The request body.
The object takes the form of:
{ # Request message for BatchDeleteAccounts.
"force": True or False, # Whether to force deleting accounts that are not in disabled state. If false, only disabled accounts will be deleted, and accounts that are not disabled will be added to the `errors`.
"localIds": [ # Required. List of user IDs to be deleted.
"A String",
],
"tenantId": "A String", # If the accounts belong to an Identity Platform tenant, the ID of the tenant. If the accounts belong to a default Identity Platform project, the field is not needed.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message to BatchDeleteAccounts.
"errors": [ # Detailed error info for accounts that cannot be deleted.
{ # Error info for account failed to be deleted.
"index": 42, # The index of the errored item in the original local_ids field.
"localId": "A String", # The corresponding user ID.
"message": "A String", # Detailed error message.
},
],
}
batchGet(targetProjectId, tenantId, delegatedProjectNumber=None, maxResults=None, nextPageToken=None, x__xgafv=None)
Download account information for all accounts on the project in a paginated manner. To use this method requires a Google OAuth 2.0 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).. Furthermore, additional permissions are needed to get password hash, password salt, and password version from accounts; otherwise these fields are redacted.
Args:
targetProjectId: string, If `tenant_id` is specified, the ID of the Google Cloud project that the Identity Platform tenant belongs to. Otherwise, the ID of the Google Cloud project that the accounts belong to. (required)
tenantId: string, The ID of the Identity Platform tenant the accounts belongs to. If not specified, accounts on the Identity Platform project are returned. (required)
delegatedProjectNumber: string, A parameter
maxResults: integer, The maximum number of results to return. Must be at least 1 and no greater than 1000. By default, it is 20.
nextPageToken: string, The pagination token from the response of a previous request.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for DownloadAccount.
"kind": "A String",
"nextPageToken": "A String", # If there are more accounts to be downloaded, a token that can be passed back to DownloadAccount to get more accounts. Otherwise, this is blank.
"users": [ # All accounts belonging to the project/tenant limited by max_results in the request.
{ # An Identity Platform account's information.
"createdAt": "A String", # The time, in milliseconds from epoch, when the account was created.
"customAttributes": "A String", # Custom claims to be added to any ID tokens minted for the account. Should be at most 1,000 characters in length and in valid JSON format.
"customAuth": True or False, # Output only. Whether this account has been authenticated using SignInWithCustomToken.
"dateOfBirth": "A String", # Output only. The date of birth set for the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"disabled": True or False, # Whether the account is disabled. Disabled accounts are inaccessible except for requests bearing a Google OAuth2 credential with proper permissions.
"displayName": "A String", # The display name of the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"email": "A String", # The account's email address. The length of the email should be less than 256 characters and in the format of `name@domain.tld`. The email should also match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec.
"emailLinkSignin": True or False, # Output only. Whether the account can authenticate with email link.
"emailVerified": True or False, # Whether the account's email address has been verified.
"initialEmail": "A String", # The first email address associated with this account. The account's initial email cannot be changed once set and is used to recover access to this account if lost via the RECOVER_EMAIL flow in GetOobCode. Should match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec.
"language": "A String", # Output only. The language preference of the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"lastLoginAt": "A String", # The last time, in milliseconds from epoch, this account was logged into.
"lastRefreshAt": "A String", # Timestamp when an ID token was last minted for this account.
"localId": "A String", # Immutable. The unique ID of the account.
"mfaInfo": [ # Information on which multi-factor authentication providers are enabled for this account.
{ # Information on which multi-factor authentication (MFA) providers are enabled for an account.
"displayName": "A String", # Display name for this mfa option e.g. "corp cell phone".
"emailInfo": { # Information about email MFA. # Contains information specific to email MFA.
"emailAddress": "A String", # Email address that a MFA verification should be sent to.
},
"enrolledAt": "A String", # Timestamp when the account enrolled this second factor.
"mfaEnrollmentId": "A String", # ID of this MFA option.
"phoneInfo": "A String", # Normally this will show the phone number associated with this enrollment. In some situations, such as after a first factor sign in, it will only show the obfuscated version of the associated phone number.
"totpInfo": { # Information about TOTP MFA. # Contains information specific to TOTP MFA.
},
"unobfuscatedPhoneInfo": "A String", # Output only. Unobfuscated phone_info.
},
],
"passwordHash": "A String", # The account's hashed password. Only accessible by requests bearing a Google OAuth2 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).
"passwordUpdatedAt": 3.14, # The timestamp, in milliseconds from the epoch of 1970-01-01T00:00:00Z, when the account's password was last updated.
"phoneNumber": "A String", # The account's phone number.
"photoUrl": "A String", # The URL of the account's profile photo. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"providerUserInfo": [ # Information about the user as provided by various Identity Providers.
{ # Information about the user as provided by various Identity Providers.
"displayName": "A String", # The user's display name at the Identity Provider.
"email": "A String", # The user's email address at the Identity Provider.
"federatedId": "A String", # The user's identifier at the Identity Provider.
"phoneNumber": "A String", # The user's phone number at the Identity Provider.
"photoUrl": "A String", # The user's profile photo URL at the Identity Provider.
"providerId": "A String", # The ID of the Identity Provider.
"rawId": "A String", # The user's raw identifier directly returned from Identity Provider.
"screenName": "A String", # The user's screen_name at Twitter or login name at GitHub.
},
],
"rawPassword": "A String", # Input only. Plain text password used to update a account's password. This field is only ever used as input in a request. Identity Platform uses cryptographically secure hashing when managing passwords and will never store or transmit a user's password in plain text.
"salt": "A String", # The account's password salt. Only accessible by requests bearing a Google OAuth2 credential with proper permissions.
"screenName": "A String", # Output only. This account's screen name at Twitter or login name at GitHub.
"tenantId": "A String", # ID of the tenant this account belongs to. Only set if this account belongs to a tenant.
"timeZone": "A String", # Output only. The time zone preference of the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"validSince": "A String", # Oldest timestamp, in seconds since epoch, that an ID token should be considered valid. All ID tokens issued before this time are considered invalid.
"version": 42, # The version of the account's password. Only accessible by requests bearing a Google OAuth2 credential with proper permissions.
},
],
}
batchGet_next()
Retrieves the next page of results.
Args:
previous_request: The request for the previous page. (required)
previous_response: The response from the request for the previous page. (required)
Returns:
A request object that you can call 'execute()' on to request the next
page. Returns None if there are no more items in the collection.
close()
Close httplib2 connections.
delete(targetProjectId, tenantId, body=None, x__xgafv=None)
Deletes a user's account.
Args:
targetProjectId: string, The ID of the project which the account belongs to. Should only be specified in authenticated requests that specify local_id of an account. (required)
tenantId: string, The ID of the tenant that the account belongs to, if applicable. Only require to be specified for authenticated requests bearing a Google OAuth 2.0 credential that specify local_id of an account that belongs to an Identity Platform tenant. (required)
body: object, The request body.
The object takes the form of:
{ # Request message for DeleteAccount.
"delegatedProjectNumber": "A String",
"idToken": "A String", # The Identity Platform ID token of the account to delete. Require to be specified for requests from end users that lack Google OAuth 2.0 credential. Authenticated requests bearing a Google OAuth2 credential with proper permissions may pass local_id to specify the account to delete alternatively.
"localId": "A String", # The ID of user account to delete. Specifying this field requires a Google OAuth 2.0 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control). Requests from users lacking the credential should pass an ID token instead.
"targetProjectId": "A String", # The ID of the project which the account belongs to. Should only be specified in authenticated requests that specify local_id of an account.
"tenantId": "A String", # The ID of the tenant that the account belongs to, if applicable. Only require to be specified for authenticated requests bearing a Google OAuth 2.0 credential that specify local_id of an account that belongs to an Identity Platform tenant.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for DeleteAccount.
"kind": "A String",
}
lookup(targetProjectId, tenantId, body=None, x__xgafv=None)
Gets account information for all matched accounts. For an end user request, retrieves the account of the end user. For an admin request with Google OAuth 2.0 credential, retrieves one or multiple account(s) with matching criteria.
Args:
targetProjectId: string, The ID of the Google Cloud project that the account or the Identity Platform tenant specified by `tenant_id` belongs to. Should only be specified by authenticated requests bearing a Google OAuth 2.0 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control). (required)
tenantId: string, The ID of the tenant that the account belongs to. Should only be specified by authenticated requests from a developer. (required)
body: object, The request body.
The object takes the form of:
{ # Request message for GetAccountInfo.
"delegatedProjectNumber": "A String",
"email": [ # The email address of one or more accounts to fetch. The length of email should be less than 256 characters and in the format of `name@domain.tld`. The email should also match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec production. Should only be specified by authenticated requests from a developer.
"A String",
],
"federatedUserId": [ # The federated user identifier of one or more accounts to fetch. Should only be specified by authenticated requests bearing a Google OAuth 2.0 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).
{ # Federated user identifier at an Identity Provider.
"providerId": "A String", # The ID of supported identity providers. This should be a provider ID enabled for sign-in, which is either from the list of [default supported IdPs](https://cloud.google.com/identity-platform/docs/reference/rest/v2/defaultSupportedIdps/list), or of the format `oidc.*` or `saml.*`. Some examples are `google.com`, `facebook.com`, `oidc.testapp`, and `saml.testapp`.
"rawId": "A String", # The user ID of the account at the third-party Identity Provider specified by `provider_id`.
},
],
"idToken": "A String", # The Identity Platform ID token of the account to fetch. Require to be specified for requests from end users.
"initialEmail": [ # The initial email of one or more accounts to fetch. The length of email should be less than 256 characters and in the format of `name@domain.tld`. The email should also match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec production. Should only be specified by authenticated requests from a developer.
"A String",
],
"localId": [ # The ID of one or more accounts to fetch. Should only be specified by authenticated requests bearing a Google OAuth 2.0 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).
"A String",
],
"phoneNumber": [ # The phone number of one or more accounts to fetch. Should only be specified by authenticated requests from a developer and should be in E.164 format, for example, +15555555555.
"A String",
],
"targetProjectId": "A String", # The ID of the Google Cloud project that the account or the Identity Platform tenant specified by `tenant_id` belongs to. Should only be specified by authenticated requests bearing a Google OAuth 2.0 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).
"tenantId": "A String", # The ID of the tenant that the account belongs to. Should only be specified by authenticated requests from a developer.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for GetAccountInfo.
"kind": "A String",
"users": [ # The information of specific user account(s) matching the parameters in the request.
{ # An Identity Platform account's information.
"createdAt": "A String", # The time, in milliseconds from epoch, when the account was created.
"customAttributes": "A String", # Custom claims to be added to any ID tokens minted for the account. Should be at most 1,000 characters in length and in valid JSON format.
"customAuth": True or False, # Output only. Whether this account has been authenticated using SignInWithCustomToken.
"dateOfBirth": "A String", # Output only. The date of birth set for the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"disabled": True or False, # Whether the account is disabled. Disabled accounts are inaccessible except for requests bearing a Google OAuth2 credential with proper permissions.
"displayName": "A String", # The display name of the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"email": "A String", # The account's email address. The length of the email should be less than 256 characters and in the format of `name@domain.tld`. The email should also match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec.
"emailLinkSignin": True or False, # Output only. Whether the account can authenticate with email link.
"emailVerified": True or False, # Whether the account's email address has been verified.
"initialEmail": "A String", # The first email address associated with this account. The account's initial email cannot be changed once set and is used to recover access to this account if lost via the RECOVER_EMAIL flow in GetOobCode. Should match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec.
"language": "A String", # Output only. The language preference of the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"lastLoginAt": "A String", # The last time, in milliseconds from epoch, this account was logged into.
"lastRefreshAt": "A String", # Timestamp when an ID token was last minted for this account.
"localId": "A String", # Immutable. The unique ID of the account.
"mfaInfo": [ # Information on which multi-factor authentication providers are enabled for this account.
{ # Information on which multi-factor authentication (MFA) providers are enabled for an account.
"displayName": "A String", # Display name for this mfa option e.g. "corp cell phone".
"emailInfo": { # Information about email MFA. # Contains information specific to email MFA.
"emailAddress": "A String", # Email address that a MFA verification should be sent to.
},
"enrolledAt": "A String", # Timestamp when the account enrolled this second factor.
"mfaEnrollmentId": "A String", # ID of this MFA option.
"phoneInfo": "A String", # Normally this will show the phone number associated with this enrollment. In some situations, such as after a first factor sign in, it will only show the obfuscated version of the associated phone number.
"totpInfo": { # Information about TOTP MFA. # Contains information specific to TOTP MFA.
},
"unobfuscatedPhoneInfo": "A String", # Output only. Unobfuscated phone_info.
},
],
"passwordHash": "A String", # The account's hashed password. Only accessible by requests bearing a Google OAuth2 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).
"passwordUpdatedAt": 3.14, # The timestamp, in milliseconds from the epoch of 1970-01-01T00:00:00Z, when the account's password was last updated.
"phoneNumber": "A String", # The account's phone number.
"photoUrl": "A String", # The URL of the account's profile photo. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"providerUserInfo": [ # Information about the user as provided by various Identity Providers.
{ # Information about the user as provided by various Identity Providers.
"displayName": "A String", # The user's display name at the Identity Provider.
"email": "A String", # The user's email address at the Identity Provider.
"federatedId": "A String", # The user's identifier at the Identity Provider.
"phoneNumber": "A String", # The user's phone number at the Identity Provider.
"photoUrl": "A String", # The user's profile photo URL at the Identity Provider.
"providerId": "A String", # The ID of the Identity Provider.
"rawId": "A String", # The user's raw identifier directly returned from Identity Provider.
"screenName": "A String", # The user's screen_name at Twitter or login name at GitHub.
},
],
"rawPassword": "A String", # Input only. Plain text password used to update a account's password. This field is only ever used as input in a request. Identity Platform uses cryptographically secure hashing when managing passwords and will never store or transmit a user's password in plain text.
"salt": "A String", # The account's password salt. Only accessible by requests bearing a Google OAuth2 credential with proper permissions.
"screenName": "A String", # Output only. This account's screen name at Twitter or login name at GitHub.
"tenantId": "A String", # ID of the tenant this account belongs to. Only set if this account belongs to a tenant.
"timeZone": "A String", # Output only. The time zone preference of the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"validSince": "A String", # Oldest timestamp, in seconds since epoch, that an ID token should be considered valid. All ID tokens issued before this time are considered invalid.
"version": 42, # The version of the account's password. Only accessible by requests bearing a Google OAuth2 credential with proper permissions.
},
],
}
query(targetProjectId, tenantId, body=None, x__xgafv=None)
Looks up user accounts within a project or a tenant based on conditions in the request.
Args:
targetProjectId: string, The ID of the project to which the result is scoped. (required)
tenantId: string, The ID of the tenant to which the result is scoped. (required)
body: object, The request body.
The object takes the form of:
{ # Request message for QueryUserInfo.
"expression": [ # Query conditions used to filter results. If more than one is passed, only the first SqlExpression is evaluated.
{ # Query conditions used to filter results.
"email": "A String", # A case insensitive string that the account's email should match. Only one of `email`, `phone_number`, or `user_id` should be specified in a SqlExpression. If more than one is specified, only the first (in that order) will be applied.
"phoneNumber": "A String", # A string that the account's phone number should match. Only one of `email`, `phone_number`, or `user_id` should be specified in a SqlExpression. If more than one is specified, only the first (in that order) will be applied.
"userId": "A String", # A string that the account's local ID should match. Only one of `email`, `phone_number`, or `user_id` should be specified in a SqlExpression If more than one is specified, only the first (in that order) will be applied.
},
],
"limit": "A String", # The maximum number of accounts to return with an upper limit of __500__. Defaults to _500_. Only valid when `return_user_info` is set to `true`.
"offset": "A String", # The number of accounts to skip from the beginning of matching records. Only valid when `return_user_info` is set to `true`.
"order": "A String", # The order for sorting query result. Defaults to __ascending__ order. Only valid when `return_user_info` is set to `true`.
"returnUserInfo": True or False, # If `true`, this request will return the accounts matching the query. If `false`, only the __count__ of accounts matching the query will be returned. Defaults to `true`.
"sortBy": "A String", # The field to use for sorting user accounts. Defaults to `USER_ID`. Note: when `phone_number` is specified in `expression`, the result ignores the sorting. Only valid when `return_user_info` is set to `true`.
"tenantId": "A String", # The ID of the tenant to which the result is scoped.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for QueryUserInfo.
"recordsCount": "A String", # If `return_user_info` in the request is true, this is the number of returned accounts in this message. Otherwise, this is the total number of accounts matching the query.
"userInfo": [ # If `return_user_info` in the request is true, this is the accounts matching the query.
{ # An Identity Platform account's information.
"createdAt": "A String", # The time, in milliseconds from epoch, when the account was created.
"customAttributes": "A String", # Custom claims to be added to any ID tokens minted for the account. Should be at most 1,000 characters in length and in valid JSON format.
"customAuth": True or False, # Output only. Whether this account has been authenticated using SignInWithCustomToken.
"dateOfBirth": "A String", # Output only. The date of birth set for the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"disabled": True or False, # Whether the account is disabled. Disabled accounts are inaccessible except for requests bearing a Google OAuth2 credential with proper permissions.
"displayName": "A String", # The display name of the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"email": "A String", # The account's email address. The length of the email should be less than 256 characters and in the format of `name@domain.tld`. The email should also match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec.
"emailLinkSignin": True or False, # Output only. Whether the account can authenticate with email link.
"emailVerified": True or False, # Whether the account's email address has been verified.
"initialEmail": "A String", # The first email address associated with this account. The account's initial email cannot be changed once set and is used to recover access to this account if lost via the RECOVER_EMAIL flow in GetOobCode. Should match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec.
"language": "A String", # Output only. The language preference of the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"lastLoginAt": "A String", # The last time, in milliseconds from epoch, this account was logged into.
"lastRefreshAt": "A String", # Timestamp when an ID token was last minted for this account.
"localId": "A String", # Immutable. The unique ID of the account.
"mfaInfo": [ # Information on which multi-factor authentication providers are enabled for this account.
{ # Information on which multi-factor authentication (MFA) providers are enabled for an account.
"displayName": "A String", # Display name for this mfa option e.g. "corp cell phone".
"emailInfo": { # Information about email MFA. # Contains information specific to email MFA.
"emailAddress": "A String", # Email address that a MFA verification should be sent to.
},
"enrolledAt": "A String", # Timestamp when the account enrolled this second factor.
"mfaEnrollmentId": "A String", # ID of this MFA option.
"phoneInfo": "A String", # Normally this will show the phone number associated with this enrollment. In some situations, such as after a first factor sign in, it will only show the obfuscated version of the associated phone number.
"totpInfo": { # Information about TOTP MFA. # Contains information specific to TOTP MFA.
},
"unobfuscatedPhoneInfo": "A String", # Output only. Unobfuscated phone_info.
},
],
"passwordHash": "A String", # The account's hashed password. Only accessible by requests bearing a Google OAuth2 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).
"passwordUpdatedAt": 3.14, # The timestamp, in milliseconds from the epoch of 1970-01-01T00:00:00Z, when the account's password was last updated.
"phoneNumber": "A String", # The account's phone number.
"photoUrl": "A String", # The URL of the account's profile photo. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"providerUserInfo": [ # Information about the user as provided by various Identity Providers.
{ # Information about the user as provided by various Identity Providers.
"displayName": "A String", # The user's display name at the Identity Provider.
"email": "A String", # The user's email address at the Identity Provider.
"federatedId": "A String", # The user's identifier at the Identity Provider.
"phoneNumber": "A String", # The user's phone number at the Identity Provider.
"photoUrl": "A String", # The user's profile photo URL at the Identity Provider.
"providerId": "A String", # The ID of the Identity Provider.
"rawId": "A String", # The user's raw identifier directly returned from Identity Provider.
"screenName": "A String", # The user's screen_name at Twitter or login name at GitHub.
},
],
"rawPassword": "A String", # Input only. Plain text password used to update a account's password. This field is only ever used as input in a request. Identity Platform uses cryptographically secure hashing when managing passwords and will never store or transmit a user's password in plain text.
"salt": "A String", # The account's password salt. Only accessible by requests bearing a Google OAuth2 credential with proper permissions.
"screenName": "A String", # Output only. This account's screen name at Twitter or login name at GitHub.
"tenantId": "A String", # ID of the tenant this account belongs to. Only set if this account belongs to a tenant.
"timeZone": "A String", # Output only. The time zone preference of the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
"validSince": "A String", # Oldest timestamp, in seconds since epoch, that an ID token should be considered valid. All ID tokens issued before this time are considered invalid.
"version": 42, # The version of the account's password. Only accessible by requests bearing a Google OAuth2 credential with proper permissions.
},
],
}
sendOobCode(targetProjectId, tenantId, body=None, x__xgafv=None)
Sends an out-of-band confirmation code for an account. Requests from a authenticated request can optionally return a link including the OOB code instead of sending it.
Args:
targetProjectId: string, The Project ID of the Identity Platform project which the account belongs to. To specify this field, it requires a Google OAuth 2.0 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control). (required)
tenantId: string, The tenant ID of the Identity Platform tenant the account belongs to. (required)
body: object, The request body.
The object takes the form of:
{ # Request message for GetOobCode.
"androidInstallApp": True or False, # If an associated android app can handle the OOB code, whether or not to install the android app on the device where the link is opened if the app is not already installed.
"androidMinimumVersion": "A String", # If an associated android app can handle the OOB code, the minimum version of the app. If the version on the device is lower than this version then the user is taken to Google Play Store to upgrade the app.
"androidPackageName": "A String", # If an associated android app can handle the OOB code, the Android package name of the android app that will handle the callback when this OOB code is used. This will allow the correct app to open if it is already installed, or allow Google Play Store to open to the correct app if it is not yet installed.
"canHandleCodeInApp": True or False, # When set to true, the OOB code link will be be sent as a Universal Link or an Android App Link and will be opened by the corresponding app if installed. If not set, or set to false, the OOB code will be sent to the web widget first and then on continue will redirect to the app if installed.
"captchaResp": "A String", # For a PASSWORD_RESET request, a reCaptcha response is required when the system detects possible abuse activity. In those cases, this is the response from the reCaptcha challenge used to verify the caller.
"challenge": "A String",
"clientType": "A String", # The client type: web, Android or iOS. Required when reCAPTCHA Enterprise protection is enabled.
"continueUrl": "A String", # The Url to continue after user clicks the link sent in email. This is the url that will allow the web widget to handle the OOB code.
"dynamicLinkDomain": "A String", # In order to ensure that the url used can be easily opened up in iOS or android, we create a [Firebase Dynamic Link](https://firebase.google.com/docs/dynamic-links). Most Identity Platform projects will only have one Dynamic Link domain enabled, and can leave this field blank. This field contains a specified Dynamic Link domain for projects that have multiple enabled.
"email": "A String", # The account's email address to send the OOB code to, and generally the email address of the account that needs to be updated. Required for PASSWORD_RESET, EMAIL_SIGNIN, and VERIFY_EMAIL. Only required for VERIFY_AND_CHANGE_EMAIL requests when return_oob_link is set to true. In this case, it is the original email of the user.
"iOSAppStoreId": "A String", # If an associated iOS app can handle the OOB code, the App Store id of this app. This will allow App Store to open to the correct app if the app is not yet installed.
"iOSBundleId": "A String", # If an associated iOS app can handle the OOB code, the iOS bundle id of this app. This will allow the correct app to open if it is already installed.
"idToken": "A String", # An ID token for the account. It is required for VERIFY_AND_CHANGE_EMAIL and VERIFY_EMAIL requests unless return_oob_link is set to true.
"newEmail": "A String", # The email address the account is being updated to. Required only for VERIFY_AND_CHANGE_EMAIL requests.
"recaptchaVersion": "A String", # The reCAPTCHA version of the reCAPTCHA token in the captcha_response.
"requestType": "A String", # Required. The type of out-of-band (OOB) code to send. Depending on this value, other fields in this request will be required and/or have different meanings. There are 4 different OOB codes that can be sent: * PASSWORD_RESET * EMAIL_SIGNIN * VERIFY_EMAIL * VERIFY_AND_CHANGE_EMAIL
"returnOobLink": True or False, # Whether the confirmation link containing the OOB code should be returned in the response (no email is sent). Used when a developer wants to construct the email template and send it on their own. By default this is false; to specify this field, and to set it to true, it requires a Google OAuth 2.0 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control)
"targetProjectId": "A String", # The Project ID of the Identity Platform project which the account belongs to. To specify this field, it requires a Google OAuth 2.0 credential with proper [permissions](https://cloud.google.com/identity-platform/docs/access-control).
"tenantId": "A String", # The tenant ID of the Identity Platform tenant the account belongs to.
"userIp": "A String", # The IP address of the caller. Required only for PASSWORD_RESET requests.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for GetOobCode.
"email": "A String", # If return_oob_link is false in the request, the email address the verification was sent to.
"kind": "A String",
"oobCode": "A String", # If return_oob_link is true in the request, the OOB code to send.
"oobLink": "A String", # If return_oob_link is true in the request, the OOB link to be sent to the user. This returns the constructed link including [Firebase Dynamic Link](https://firebase.google.com/docs/dynamic-links) related parameters.
}
update(targetProjectId, tenantId, body=None, x__xgafv=None)
Updates account-related information for the specified user by setting specific fields or applying action codes. Requests from administrators and end users are supported.
Args:
targetProjectId: string, The project ID for the project that the account belongs to. Specifying this field requires Google OAuth 2.0 credential with proper [permissions] (https://cloud.google.com/identity-platform/docs/access-control). Requests from end users should pass an Identity Platform ID token instead. (required)
tenantId: string, The tenant ID of the Identity Platform tenant that the account belongs to. Requests from end users should pass an Identity Platform ID token rather than setting this field. (required)
body: object, The request body.
The object takes the form of:
{ # Request message for SetAccountInfo.
"captchaChallenge": "A String",
"captchaResponse": "A String", # The response from reCaptcha challenge. This is required when the system detects possible abuse activities.
"createdAt": "A String", # The timestamp in milliseconds when the account was created.
"customAttributes": "A String", # JSON formatted custom attributes to be stored in the Identity Platform ID token. Specifying this field requires a Google OAuth 2.0 credential with proper [permissions] (https://cloud.google.com/identity-platform/docs/access-control).
"delegatedProjectNumber": "A String",
"deleteAttribute": [ # The account's attributes to be deleted.
"A String",
],
"deleteProvider": [ # The Identity Providers to unlink from the user's account.
"A String",
],
"disableUser": True or False, # If true, marks the account as disabled, meaning the user will no longer be able to sign-in.
"displayName": "A String", # The user's new display name to be updated in the account's attributes. The length of the display name must be less than or equal to 256 characters.
"email": "A String", # The user's new email to be updated in the account's attributes. The length of email should be less than 256 characters and in the format of `name@domain.tld`. The email should also match the [RFC 822](https://tools.ietf.org/html/rfc822) addr-spec production. If [email enumeration protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection) is enabled, the email cannot be changed by the user without verifying the email first, but it can be changed by an administrator.
"emailVerified": True or False, # Whether the user's email has been verified. Specifying this field requires a Google OAuth 2.0 credential with proper [permissions] (https://cloud.google.com/identity-platform/docs/access-control).
"idToken": "A String", # A valid Identity Platform ID token. Required when attempting to change user-related information.
"instanceId": "A String",
"lastLoginAt": "A String", # The timestamp in milliseconds when the account last logged in.
"linkProviderUserInfo": { # Information about the user as provided by various Identity Providers. # The provider to be linked to the user's account. Specifying this field requires a Google OAuth 2.0 credential with proper [permissions] (https://cloud.google.com/identity-platform/docs/access-control).
"displayName": "A String", # The user's display name at the Identity Provider.
"email": "A String", # The user's email address at the Identity Provider.
"federatedId": "A String", # The user's identifier at the Identity Provider.
"phoneNumber": "A String", # The user's phone number at the Identity Provider.
"photoUrl": "A String", # The user's profile photo URL at the Identity Provider.
"providerId": "A String", # The ID of the Identity Provider.
"rawId": "A String", # The user's raw identifier directly returned from Identity Provider.
"screenName": "A String", # The user's screen_name at Twitter or login name at GitHub.
},
"localId": "A String", # The ID of the user. Specifying this field requires a Google OAuth 2.0 credential with proper [permissions] (https://cloud.google.com/identity-platform/docs/access-control). For requests from end-users, an ID token should be passed instead.
"mfa": { # Multi-factor authentication related information. # The multi-factor authentication related information to be set on the user's account. This will overwrite any previous multi-factor related information on the account. Specifying this field requires a Google OAuth 2.0 credential with proper [permissions] (https://cloud.google.com/identity-platform/docs/access-control).
"enrollments": [ # The second factors the user has enrolled.
{ # Information on which multi-factor authentication (MFA) providers are enabled for an account.
"displayName": "A String", # Display name for this mfa option e.g. "corp cell phone".
"emailInfo": { # Information about email MFA. # Contains information specific to email MFA.
"emailAddress": "A String", # Email address that a MFA verification should be sent to.
},
"enrolledAt": "A String", # Timestamp when the account enrolled this second factor.
"mfaEnrollmentId": "A String", # ID of this MFA option.
"phoneInfo": "A String", # Normally this will show the phone number associated with this enrollment. In some situations, such as after a first factor sign in, it will only show the obfuscated version of the associated phone number.
"totpInfo": { # Information about TOTP MFA. # Contains information specific to TOTP MFA.
},
"unobfuscatedPhoneInfo": "A String", # Output only. Unobfuscated phone_info.
},
],
},
"oobCode": "A String", # The out-of-band code to be applied on the user's account. The following out-of-band code types are supported: * VERIFY_EMAIL * RECOVER_EMAIL * REVERT_SECOND_FACTOR_ADDITION * VERIFY_AND_CHANGE_EMAIL
"password": "A String", # The user's new password to be updated in the account's attributes. The password must be at least 6 characters long.
"phoneNumber": "A String", # The phone number to be updated in the account's attributes.
"photoUrl": "A String", # The user's new photo URL for the account's profile photo to be updated in the account's attributes. The length of the URL must be less than or equal to 2048 characters.
"provider": [ # The Identity Providers that the account should be associated with.
"A String",
],
"returnSecureToken": True or False, # Whether or not to return an ID and refresh token. Should always be true.
"targetProjectId": "A String", # The project ID for the project that the account belongs to. Specifying this field requires Google OAuth 2.0 credential with proper [permissions] (https://cloud.google.com/identity-platform/docs/access-control). Requests from end users should pass an Identity Platform ID token instead.
"tenantId": "A String", # The tenant ID of the Identity Platform tenant that the account belongs to. Requests from end users should pass an Identity Platform ID token rather than setting this field.
"upgradeToFederatedLogin": True or False, # Whether the account should be restricted to only using federated login.
"validSince": "A String", # Specifies the minimum timestamp in seconds for an Identity Platform ID token to be considered valid.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for SetAccountInfo
"displayName": "A String", # The account's display name.
"email": "A String", # The account's email address.
"emailVerified": True or False, # Whether the account's email has been verified.
"expiresIn": "A String", # The number of seconds until the Identity Platform ID token expires.
"idToken": "A String", # An Identity Platform ID token for the account. This is used for legacy user sign up.
"kind": "A String",
"localId": "A String", # The ID of the authenticated user.
"newEmail": "A String", # The new email that has been set on the user's account attributes.
"passwordHash": "A String", # Deprecated. No actual password hash is currently returned.
"photoUrl": "A String", # The user's photo URL for the account's profile photo.
"providerUserInfo": [ # The linked Identity Providers on the account.
{ # Information about the user as provided by various Identity Providers.
"displayName": "A String", # The user's display name at the Identity Provider.
"email": "A String", # The user's email address at the Identity Provider.
"federatedId": "A String", # The user's identifier at the Identity Provider.
"phoneNumber": "A String", # The user's phone number at the Identity Provider.
"photoUrl": "A String", # The user's profile photo URL at the Identity Provider.
"providerId": "A String", # The ID of the Identity Provider.
"rawId": "A String", # The user's raw identifier directly returned from Identity Provider.
"screenName": "A String", # The user's screen_name at Twitter or login name at GitHub.
},
],
"refreshToken": "A String", # A refresh token for the account. This is used for legacy user sign up.
}