Method: accounts.signInWithIdp

HTTP request
Request body
- JSON representation
Response body
- JSON representation
Authorization scopes
Try it!

Signs in or signs up a user using credentials from an Identity Provider (IdP). This is done by manually providing an IdP credential, or by providing the authorization response obtained via the authorization request from accounts.createAuthUri. If the sign-in succeeds, a new Identity Platform ID token and refresh token are issued for the authenticated user.

A new Identity Platform user account will be created if the user has not previously signed in to the IdP with the same account. In addition, when the "One account per email address" setting is enabled, there should not be an existing Identity Platform user account with the same email address for a new user account to be created.

An API key is required in the request in order to identify the Google Cloud project.

HTTP request

POST https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp

The URL uses gRPC Transcoding syntax.

Request body

The request body contains data with the following structure:

JSON representation
{ "requestUri": string, "postBody": string, "pendingIdToken": string, "returnRefreshToken": boolean, "sessionId": string, "delegatedProjectNumber": string, "idToken": string, "returnSecureToken": boolean, "returnIdpCredential": boolean, "autoCreate": boolean, "tenantId": string, "pendingToken": string }

JSON representation

{
  "requestUri": string,
  "postBody": string,
  "pendingIdToken": string,
  "returnRefreshToken": boolean,
  "sessionId": string,
  "delegatedProjectNumber": string,
  "idToken": string,
  "returnSecureToken": boolean,
  "returnIdpCredential": boolean,
  "autoCreate": boolean,
  "tenantId": string,
  "pendingToken": string
}

Fields
`requestUri`	`string` Required. The URL to which the IdP redirects the user back. This can be set to `http://localhost` if the user is signing in with a manually provided IdP credential.
`postBody`	`string` If the user is signing in with an authorization response obtained via a previous accounts.createAuthUri authorization request, this is the body of the HTTP POST callback from the IdP, if present. Otherwise, if the user is signing in with a manually provided IdP credential, this should be a URL-encoded form that contains the credential (e.g. an ID token or access token for OAuth 2.0 IdPs) and the provider ID of the IdP that issued the credential. For example, if the user is signing in to the Google provider using a Google ID token, this should be set to id_token`=[GOOGLE_ID_TOKEN]&providerId=google.com`, where `[GOOGLE_ID_TOKEN]` should be replaced with the Google ID token. If the user is signing in to the Facebook provider using a Facebook authentication token, this should be set to id_token`=[FACEBOOK_AUTHENTICATION_TOKEN]&providerId=facebook. com&nonce= [NONCE]`, where `[FACEBOOK_AUTHENTICATION_TOKEN]` should be replaced with the Facebook authentication token. Nonce is required for validating the token. The request will fail if no nonce is provided. If the user is signing in to the Facebook provider using a Facebook access token, this should be set to access_token`=[FACEBOOK_ACCESS_TOKEN]&providerId=facebook. com`, where `[FACEBOOK_ACCESS_TOKEN]` should be replaced with the Facebook access token. If the user is signing in to the Twitter provider using a Twitter OAuth 1.0 credential, this should be set to access_token`=[TWITTER_ACCESS_TOKEN]&oauthTokenSecret= [TWITTER_TOKEN_SECRET]&providerId=twitter.com`, where `[TWITTER_ACCESS_TOKEN]` and `[TWITTER_TOKEN_SECRET]` should be replaced with the Twitter OAuth access token and Twitter OAuth token secret respectively.
`pendingIdToken (deprecated)`	`string`
`returnRefreshToken`	`boolean` Whether or not to return the OAuth refresh token from the IdP, if available.
`sessionId`	`string` The session ID returned from a previous accounts.createAuthUri call. This field is verified against that session ID to prevent session fixation attacks. Required if the user is signing in with an authorization response from a previous accounts.createAuthUri authorization request.
`delegatedProjectNumber (deprecated)`	`string (int64 format)`
`idToken`	`string` A valid Identity Platform ID token. If passed, the user's account at the IdP will be linked to the account represented by this ID token.
`returnSecureToken`	`boolean` Should always be true.
`returnIdpCredential`	`boolean` Whether or not to return OAuth credentials from the IdP on the following errors: `FEDERATED_USER_ID_ALREADY_LINKED` and `EMAIL_EXISTS`.
`autoCreate (deprecated)`	`boolean`
`tenantId`	`string` The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform project.
`pendingToken`	`string` An opaque string from a previous accounts.signInWithIdp response. If set, it can be used to repeat the sign-in operation from the previous accounts.signInWithIdp operation. This may be present if the user needs to confirm their account information as part of a previous federated login attempt, or perform account linking.

Response body

Response message for accounts.signInWithIdp.

If successful, the response body contains data with the following structure:

JSON representation

JSON representation
{ "federatedId": string, "providerId": string, "email": string, "emailVerified": boolean, "firstName": string, "fullName": string, "lastName": string, "nickName": string, "language": string, "timeZone": string, "photoUrl": string, "dateOfBirth": string, "inputEmail": string, "originalEmail": string, "localId": string, "emailRecycled": boolean, "displayName": string, "idToken": string, "context": string, "verifiedProvider": [ string ], "needConfirmation": boolean, "oauthAccessToken": string, "oauthRefreshToken": string, "oauthExpireIn": integer, "oauthAuthorizationCode": string, "needEmail": boolean, "oauthTokenSecret": string, "refreshToken": string, "expiresIn": string, "oauthIdToken": string, "screenName": string, "rawUserInfo": string, "errorMessage": string, "isNewUser": boolean, "kind": string, "pendingToken": string, "tenantId": string, "mfaPendingCredential": string, "mfaInfo": [ { object (`MfaEnrollment`) } ] }

{
  "federatedId": string,
  "providerId": string,
  "email": string,
  "emailVerified": boolean,
  "firstName": string,
  "fullName": string,
  "lastName": string,
  "nickName": string,
  "language": string,
  "timeZone": string,
  "photoUrl": string,
  "dateOfBirth": string,
  "inputEmail": string,
  "originalEmail": string,
  "localId": string,
  "emailRecycled": boolean,
  "displayName": string,
  "idToken": string,
  "context": string,
  "verifiedProvider": [
    string
  ],
  "needConfirmation": boolean,
  "oauthAccessToken": string,
  "oauthRefreshToken": string,
  "oauthExpireIn": integer,
  "oauthAuthorizationCode": string,
  "needEmail": boolean,
  "oauthTokenSecret": string,
  "refreshToken": string,
  "expiresIn": string,
  "oauthIdToken": string,
  "screenName": string,
  "rawUserInfo": string,
  "errorMessage": string,
  "isNewUser": boolean,
  "kind": string,
  "pendingToken": string,
  "tenantId": string,
  "mfaPendingCredential": string,
  "mfaInfo": [
    {
      object (MfaEnrollment)
    }
  ]
}

Fields
`federatedId`	`string` The user's account ID at the IdP. Always present in the response.
`providerId`	`string` The provider ID of the IdP that the user is signing in to. Always present in the response.
`email`	`string` The email address of the user's account at the IdP.
`emailVerified`	`boolean` Whether the user account's email address is verified.
`firstName`	`string` The first name for the user's account at the IdP.
`fullName`	`string` The full name for the user's account at the IdP.
`lastName`	`string` The last name for the user's account at the IdP.
`nickName`	`string` The nickname for the user's account at the IdP.
`language`	`string` The language preference for the user's account at the IdP.
`timeZone`	`string` The time zone for the user's account at the IdP.
`photoUrl`	`string` The URL of the user's profile picture at the IdP.
`dateOfBirth`	`string` The date of birth for the user's account at the IdP.
`inputEmail (deprecated)`	`string` This item is deprecated!
`originalEmail`	`string` The main (top-level) email address of the user's Identity Platform account, if different from the email address at the IdP. Only present if the "One account per email address" setting is enabled.
`localId`	`string` The ID of the authenticated Identity Platform user. Always present in the response.
`emailRecycled`	`boolean` Whether or not there is an existing Identity Platform user account with the same email address but linked to a different account at the same IdP. Only present if the "One account per email address" setting is enabled and the email address at the IdP is verified.
`displayName`	`string` The display name for the user's account at the IdP.
`idToken`	`string` An Identity Platform ID token for the authenticated user.
`context`	`string` The opaque string set in accounts.createAuthUri that is used to maintain contextual information between the authentication request and the callback from the IdP.
`verifiedProvider[]`	`string` A list of provider IDs that the user can sign in to in order to resolve a `needConfirmation` error. Only present if `needConfirmation` is set to `true`.
`needConfirmation`	`boolean` Whether or not there is an existing Identity Platform user account with the same email address as the current account signed in at the IdP, and the account's email address is not verified at the IdP. The user will need to sign in to the existing Identity Platform account and then link the current credential from the IdP to it. Only present if the "One account per email address" setting is enabled.
`oauthAccessToken`	`string` The OAuth access token from the IdP, if available.
`oauthRefreshToken`	`string` The OAuth 2.0 refresh token from the IdP, if available and `returnRefreshToken` is set to `true`.
`oauthExpireIn`	`integer` The number of seconds until the OAuth access token from the IdP expires.
`oauthAuthorizationCode`	`string` The OAuth 2.0 authorization code, if available. Only present for the Google provider.
`needEmail (deprecated)`	`boolean` This item is deprecated!
`oauthTokenSecret`	`string` The OAuth 1.0 token secret from the IdP, if available. Only present for the Twitter provider.
`refreshToken`	`string` An Identity Platform refresh token for the authenticated user.
`expiresIn`	`string (int64 format)` The number of seconds until the Identity Platform ID token expires.
`oauthIdToken`	`string` The OpenID Connect ID token from the IdP, if available.
`screenName`	`string` The screen name for the user's account at the Twitter IdP or the login name for the user's account at the GitHub IdP.
`rawUserInfo`	`string` The stringified JSON response containing all the data corresponding to the user's account at the IdP.
`errorMessage`	`string` The error message returned if `returnIdpCredential` is set to `true` and either the `FEDERATED_USER_ID_ALREADY_LINKED` or `EMAIL_EXISTS` error is encountered. This field's value is either `FEDERATED_USER_ID_ALREADY_LINKED` or `EMAIL_EXISTS`.
`isNewUser`	`boolean` Whether or not a new Identity Platform account was created for the authenticated user.
`kind (deprecated)`	`string` This item is deprecated!
`pendingToken`	`string` An opaque string that can be used as a credential from the IdP the user is signing into. The pending token obtained here can be set in a future accounts.signInWithIdp request to sign the same user in with the IdP again.
`tenantId`	`string` The value of the `tenantId` field in the request.
`mfaPendingCredential`	`string` An opaque string that functions as proof that the user has successfully passed the first factor authentication.
`mfaInfo[]`	`object (MfaEnrollment)` Info on which multi-factor authentication providers are enabled for the account. Present if the user needs to complete the sign-in using multi-factor authentication.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.