Method: accounts.createAuthUri

If an email identifier is specified, checks and returns if any user account is registered with the email. If there is a registered account, fetches all providers associated with the account's email.

If the provider ID of an Identity Provider (IdP) is specified, creates an authorization URI for the IdP. The user can be directed to this URI to sign in with the IdP.

An API key is required in the request in order to identify the Google Cloud project.

HTTP request

POST https://identitytoolkit.googleapis.com/v1/accounts:createAuthUri

The URL uses gRPC Transcoding syntax.

Request body

The request body contains data with the following structure:

JSON representation
{
  "identifier": string,
  "continueUri": string,
  "openidRealm": string,
  "providerId": string,
  "oauthConsumerKey": string,
  "oauthScope": string,
  "context": string,
  "otaApp": string,
  "appId": string,
  "hostedDomain": string,
  "sessionId": string,
  "authFlowType": string,
  "customParameter": {
    string: string,
    ...
  },
  "tenantId": string
}
Fields
identifier

string

The email identifier of the user account to fetch associated providers for. At least one of the fields identifier and providerId must be set.

The length of the email address should be less than 256 characters and in the format of name@domain.tld. The email address should also match the RFC 822 addr-spec production.

continueUri

string

A valid URL for the IdP to redirect the user back to. The URL cannot contain fragments or the reserved state query parameter.

openidRealm
(deprecated)

string

providerId

string

The provider ID of the IdP for the user to sign in with. This should be a provider ID enabled for sign-in, which is either from the list of default supported IdPs, or of the format oidc.* or saml.*. Some examples are google.com, facebook.com, oidc.testapp, and saml.testapp. At least one of the fields identifier and providerId must be set.

oauthConsumerKey
(deprecated)

string

oauthScope

string

Additional space-delimited OAuth 2.0 scopes specifying the scope of the authentication request with the IdP. Used for OAuth 2.0 IdPs.

For the Google provider, the authorization code flow will be used if this field is set.

context

string

An opaque string used to maintain contextual information between the authentication request and the callback from the IdP.

otaApp
(deprecated)

string

appId
(deprecated)

string

hostedDomain

string

Used for the Google provider. The G Suite hosted domain of the user in order to restrict sign-in to users at that domain.

sessionId

string

A session ID that can be verified against in accounts.signInWithIdp to prevent session fixation attacks. If absent, a random string will be generated and returned as the session ID.

authFlowType

string

Used for the Google provider. The type of the authentication flow to be used. If present, this should be CODE_FLOW to specify the authorization code flow. Otherwise, the default ID Token flow will be used.

customParameter

map (key: string, value: string)

Additional customized query parameters to be added to the authorization URI. The following parameters are reserved and cannot be added: clientId, responseType, scope, redirectUri, state.

For the Microsoft provider, the Azure AD tenant to sign-in to can be specified in the tenant custom parameter.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

tenantId

string

The ID of the Identity Platform tenant to create an authorization URI or lookup an email identifier for. If not set, the operation will be performed in the default Identity Platform instance in the project.

Response body

Response message for accounts.createAuthUri.

If successful, the response body contains data with the following structure:

JSON representation
{
  "kind": string,
  "authUri": string,
  "allProviders": [
    string
  ],
  "registered": boolean,
  "providerId": string,
  "forExistingProvider": boolean,
  "captchaRequired": boolean,
  "sessionId": string,
  "signinMethods": [
    string
  ]
}
Fields
kind
(deprecated)

string

authUri

string

The authorization URI for the requested provider. Present only when a provider ID is set in the request.

allProviders[]
(deprecated)

string

registered

boolean

Whether the email identifier represents an existing account. Present only when an email identifier is set in the request.

providerId

string

The provider ID from the request, if provided.

forExistingProvider

boolean

Whether the user has previously signed in with the provider ID in the request. Present only when a registered email identifier is set in the request.

captchaRequired

boolean

Whether a CAPTCHA is needed because there have been too many failed login attempts by the user. Present only when a registered email identifier is set in the request.

sessionId

string

The session ID from the request, or a random string generated by accounts.createAuthUri if absent. It is used to prevent session fixation attacks.

signinMethods[]

string

The list of sign-in methods that the user has previously used. Each element is one of password, emailLink, or the provider ID of an IdP. Present only when a registered email identifier is set in the request. If email enumeration protection is enabled, this method returns an empty list.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.