Method: accounts.signInWithIdp

Signs in or signs up a user using credentials from an Identity Provider (IdP). This is done by manually providing an IdP credential, or by providing the authorization response obtained via the authorization request from accounts.createAuthUri. If the sign-in succeeds, a new Identity Platform ID token and refresh token are issued for the authenticated user.

A new Identity Platform user account will be created if the user has not previously signed in to the IdP with the same account. In addition, when the "One account per email address" setting is enabled, there should not be an existing Identity Platform user account with the same email address for a new user account to be created.

An API key is required in the request in order to identify the Google Cloud project.

HTTP request

POST https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp

The URL uses gRPC Transcoding syntax.

Request body

The request body contains data with the following structure:

JSON representation
{
  "requestUri": string,
  "postBody": string,
  "pendingIdToken": string,
  "returnRefreshToken": boolean,
  "sessionId": string,
  "delegatedProjectNumber": string,
  "idToken": string,
  "returnSecureToken": boolean,
  "returnIdpCredential": boolean,
  "autoCreate": boolean,
  "tenantId": string,
  "pendingToken": string
}
Fields
requestUri

string

Required. The URL to which the IdP redirects the user back. This can be set to http://localhost if the user is signing in with a manually provided IdP credential.

postBody

string

If the user is signing in with an authorization response obtained via a previous accounts.createAuthUri authorization request, this is the body of the HTTP POST callback from the IdP, if present.

Otherwise, if the user is signing in with a manually provided IdP credential, this should be a URL-encoded form that contains the credential (e.g. an ID token or access token for OAuth 2.0 IdPs) and the provider ID of the IdP that issued the credential.

For example, if the user is signing in to the Google provider using a Google ID token, this should be set to id_token=[GOOGLE_ID_TOKEN]&providerId=google.com, where [GOOGLE_ID_TOKEN] should be replaced with the Google ID token.

If the user is signing in to the Facebook provider using a Facebook authentication token, this should be set to id_token=[FACEBOOK_AUTHENTICATION_TOKEN]&providerId=facebook. com&nonce= [NONCE], where [FACEBOOK_AUTHENTICATION_TOKEN] should be replaced with the Facebook authentication token. Nonce is required for validating the token. The request will fail if no nonce is provided.

If the user is signing in to the Facebook provider using a Facebook access token, this should be set to access_token=[FACEBOOK_ACCESS_TOKEN]&providerId=facebook. com, where [FACEBOOK_ACCESS_TOKEN] should be replaced with the Facebook access token.

If the user is signing in to the Twitter provider using a Twitter OAuth 1.0 credential, this should be set to access_token=[TWITTER_ACCESS_TOKEN]&oauthTokenSecret= [TWITTER_TOKEN_SECRET]&providerId=twitter.com, where [TWITTER_ACCESS_TOKEN] and [TWITTER_TOKEN_SECRET] should be replaced with the Twitter OAuth access token and Twitter OAuth token secret respectively.

pendingIdToken
(deprecated)

string

returnRefreshToken

boolean

Whether or not to return the OAuth refresh token from the IdP, if available.

sessionId

string

The session ID returned from a previous accounts.createAuthUri call. This field is verified against that session ID to prevent session fixation attacks. Required if the user is signing in with an authorization response from a previous accounts.createAuthUri authorization request.

delegatedProjectNumber
(deprecated)

string (int64 format)

idToken

string

A valid Identity Platform ID token. If passed, the user's account at the IdP will be linked to the account represented by this ID token.

returnSecureToken

boolean

Should always be true.

returnIdpCredential

boolean

Whether or not to return OAuth credentials from the IdP on the following errors: FEDERATED_USER_ID_ALREADY_LINKED and EMAIL_EXISTS.

autoCreate
(deprecated)

boolean

tenantId

string

The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform project.

pendingToken

string

An opaque string from a previous accounts.signInWithIdp response. If set, it can be used to repeat the sign-in operation from the previous accounts.signInWithIdp operation. This may be present if the user needs to confirm their account information as part of a previous federated login attempt, or perform account linking.

Response body

Response message for accounts.signInWithIdp.

If successful, the response body contains data with the following structure:

JSON representation
{
  "federatedId": string,
  "providerId": string,
  "email": string,
  "emailVerified": boolean,
  "firstName": string,
  "fullName": string,
  "lastName": string,
  "nickName": string,
  "language": string,
  "timeZone": string,
  "photoUrl": string,
  "dateOfBirth": string,
  "inputEmail": string,
  "originalEmail": string,
  "localId": string,
  "emailRecycled": boolean,
  "displayName": string,
  "idToken": string,
  "context": string,
  "verifiedProvider": [
    string
  ],
  "needConfirmation": boolean,
  "oauthAccessToken": string,
  "oauthRefreshToken": string,
  "oauthExpireIn": integer,
  "oauthAuthorizationCode": string,
  "needEmail": boolean,
  "oauthTokenSecret": string,
  "refreshToken": string,
  "expiresIn": string,
  "oauthIdToken": string,
  "screenName": string,
  "rawUserInfo": string,
  "errorMessage": string,
  "isNewUser": boolean,
  "kind": string,
  "pendingToken": string,
  "tenantId": string,
  "mfaPendingCredential": string,
  "mfaInfo": [
    {
      object (MfaEnrollment)
    }
  ]
}
Fields
federatedId

string

The user's account ID at the IdP. Always present in the response.

providerId

string

The provider ID of the IdP that the user is signing in to. Always present in the response.

email

string

The email address of the user's account at the IdP.

emailVerified

boolean

Whether the user account's email address is verified.

firstName

string

The first name for the user's account at the IdP.

fullName

string

The full name for the user's account at the IdP.

lastName

string

The last name for the user's account at the IdP.

nickName

string

The nickname for the user's account at the IdP.

language

string

The language preference for the user's account at the IdP.

timeZone

string

The time zone for the user's account at the IdP.

photoUrl

string

The URL of the user's profile picture at the IdP.

dateOfBirth

string

The date of birth for the user's account at the IdP.

inputEmail
(deprecated)

string

originalEmail

string

The main (top-level) email address of the user's Identity Platform account, if different from the email address at the IdP. Only present if the "One account per email address" setting is enabled.

localId

string

The ID of the authenticated Identity Platform user. Always present in the response.

emailRecycled

boolean

Whether or not there is an existing Identity Platform user account with the same email address but linked to a different account at the same IdP. Only present if the "One account per email address" setting is enabled and the email address at the IdP is verified.

displayName

string

The display name for the user's account at the IdP.

idToken

string

An Identity Platform ID token for the authenticated user.

context

string

The opaque string set in accounts.createAuthUri that is used to maintain contextual information between the authentication request and the callback from the IdP.

verifiedProvider[]

string

A list of provider IDs that the user can sign in to in order to resolve a needConfirmation error. Only present if needConfirmation is set to true.

needConfirmation

boolean

Whether or not there is an existing Identity Platform user account with the same email address as the current account signed in at the IdP, and the account's email address is not verified at the IdP. The user will need to sign in to the existing Identity Platform account and then link the current credential from the IdP to it. Only present if the "One account per email address" setting is enabled.

oauthAccessToken

string

The OAuth access token from the IdP, if available.

oauthRefreshToken

string

The OAuth 2.0 refresh token from the IdP, if available and returnRefreshToken is set to true.

oauthExpireIn

integer

The number of seconds until the OAuth access token from the IdP expires.

oauthAuthorizationCode

string

The OAuth 2.0 authorization code, if available. Only present for the Google provider.

needEmail
(deprecated)

boolean

oauthTokenSecret

string

The OAuth 1.0 token secret from the IdP, if available. Only present for the Twitter provider.

refreshToken

string

An Identity Platform refresh token for the authenticated user.

expiresIn

string (int64 format)

The number of seconds until the Identity Platform ID token expires.

oauthIdToken

string

The OpenID Connect ID token from the IdP, if available.

screenName

string

The screen name for the user's account at the Twitter IdP or the login name for the user's account at the GitHub IdP.

rawUserInfo

string

The stringified JSON response containing all the data corresponding to the user's account at the IdP.

errorMessage

string

The error message returned if returnIdpCredential is set to true and either the FEDERATED_USER_ID_ALREADY_LINKED or EMAIL_EXISTS error is encountered. This field's value is either FEDERATED_USER_ID_ALREADY_LINKED or EMAIL_EXISTS.

isNewUser

boolean

Whether or not a new Identity Platform account was created for the authenticated user.

kind
(deprecated)

string

pendingToken

string

An opaque string that can be used as a credential from the IdP the user is signing into. The pending token obtained here can be set in a future accounts.signInWithIdp request to sign the same user in with the IdP again.

tenantId

string

The value of the tenantId field in the request.

mfaPendingCredential

string

An opaque string that functions as proof that the user has successfully passed the first factor authentication.

mfaInfo[]

object (MfaEnrollment)

Info on which multi-factor authentication providers are enabled for the account. Present if the user needs to complete the sign-in using multi-factor authentication.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.