If an email identifier is specified, checks and returns if any user account is registered with the email. If there is a registered account, fetches all providers associated with the account's email.
If the provider ID of an Identity Provider (IdP) is specified, creates an authorization URI for the IdP. The user can be directed to this URI to sign in with the IdP.
An API key is required in the request in order to identify the Google Cloud project.
HTTP request
POST https://identitytoolkit.googleapis.com/v1/accounts:createAuthUri
The URL uses gRPC Transcoding syntax.
Request body
The request body contains data with the following structure:
JSON representation |
---|
{ "identifier": string, "continueUri": string, "openidRealm": string, "providerId": string, "oauthConsumerKey": string, "oauthScope": string, "context": string, "otaApp": string, "appId": string, "hostedDomain": string, "sessionId": string, "authFlowType": string, "customParameter": { string: string, ... }, "tenantId": string } |
Fields | |
---|---|
identifier |
The email identifier of the user account to fetch associated providers for. At least one of the fields The length of the email address should be less than 256 characters and in the format of |
continue |
A valid URL for the IdP to redirect the user back to. The URL cannot contain fragments or the reserved |
openidRealm |
|
provider |
The provider ID of the IdP for the user to sign in with. This should be a provider ID enabled for sign-in, which is either from the list of default supported IdPs, or of the format |
oauthConsumerKey |
|
oauth |
Additional space-delimited OAuth 2.0 scopes specifying the scope of the authentication request with the IdP. Used for OAuth 2.0 IdPs. For the Google provider, the authorization code flow will be used if this field is set. |
context |
An opaque string used to maintain contextual information between the authentication request and the callback from the IdP. |
otaApp |
|
appId |
|
hosted |
Used for the Google provider. The G Suite hosted domain of the user in order to restrict sign-in to users at that domain. |
session |
A session ID that can be verified against in accounts.signInWithIdp to prevent session fixation attacks. If absent, a random string will be generated and returned as the session ID. |
auth |
Used for the Google provider. The type of the authentication flow to be used. If present, this should be |
custom |
Additional customized query parameters to be added to the authorization URI. The following parameters are reserved and cannot be added: For the Microsoft provider, the Azure AD tenant to sign-in to can be specified in the An object containing a list of |
tenant |
The ID of the Identity Platform tenant to create an authorization URI or lookup an email identifier for. If not set, the operation will be performed in the default Identity Platform instance in the project. |
Response body
Response message for accounts.createAuthUri.
If successful, the response body contains data with the following structure:
JSON representation |
---|
{ "kind": string, "authUri": string, "allProviders": [ string ], "registered": boolean, "providerId": string, "forExistingProvider": boolean, "captchaRequired": boolean, "sessionId": string, "signinMethods": [ string ] } |
Fields | |
---|---|
kind |
|
auth |
The authorization URI for the requested provider. Present only when a provider ID is set in the request. |
allProviders[] |
|
registered |
Whether the email identifier represents an existing account. Present only when an email identifier is set in the request. |
provider |
The provider ID from the request, if provided. |
for |
Whether the user has previously signed in with the provider ID in the request. Present only when a registered email identifier is set in the request. |
captcha |
Whether a CAPTCHA is needed because there have been too many failed login attempts by the user. Present only when a registered email identifier is set in the request. |
session |
The session ID from the request, or a random string generated by accounts.createAuthUri if absent. It is used to prevent session fixation attacks. |
signin |
The list of sign-in methods that the user has previously used. Each element is one of |
Authorization scopes
Requires one of the following OAuth scopes:
https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.