- Resource: Tenant
- HashConfig
- HashAlgorithm
- MultiFactorAuthConfig
- State
- Provider
- ProviderConfig
- TotpMfaProviderConfig
- MfaState
- Inheritance
- RecaptchaConfig
- RecaptchaProviderEnforcementState
- RecaptchaManagedRule
- RecaptchaAction
- RecaptchaKey
- RecaptchaKeyClientType
- RecaptchaTollFraudManagedRule
- RecaptchaAction
- SmsRegionConfig
- AllowByDefault
- AllowlistOnly
- MonitoringConfig
- RequestLogging
- PasswordPolicyConfig
- PasswordPolicyEnforcementState
- PasswordPolicyVersion
- CustomStrengthOptions
- EmailPrivacyConfig
- ClientPermissionConfig
- ClientPermissions
- Methods
Resource: Tenant
A Tenant contains configuration for the tenant in a multi-tenant project.
JSON representation |
---|
{ "name": string, "displayName": string, "allowPasswordSignup": boolean, "enableEmailLinkSignin": boolean, "disableAuth": boolean, "hashConfig": { object ( |
Fields | |
---|---|
name |
Output only. Resource name of a tenant. For example: "projects/{project-id}/tenants/{tenant-id}" |
display |
Display name of the tenant. |
allow |
Whether to allow email/password user authentication. |
enable |
Whether to enable email link user authentication. |
disable |
Whether authentication is disabled for the tenant. If true, the users under the disabled tenant are not allowed to sign-in. Admins of the disabled tenant are not able to manage its users. |
hash |
Output only. Hash config information of a tenant for display on Pantheon. This can only be displayed on Pantheon to avoid the sensitive information to get accidentally leaked. Only returned in tenants.get response to restrict reading of this information. Requires firebaseauth.configs.getHashConfig permission on the agent project for returning this field. |
enable |
Whether to enable anonymous user authentication. |
mfa |
The tenant-level configuration of MFA options. |
test |
A map of <test phone number, fake code> pairs that can be used for MFA. The phone number should be in E.164 format (https://www.itu.int/rec/T-REC-E.164/) and a maximum of 10 pairs can be added (error will be thrown once exceeded). An object containing a list of |
inheritance |
Specify the settings that the tenant could inherit. |
recaptcha |
The tenant-level reCAPTCHA config. |
sms |
Configures which regions are enabled for SMS verification code sending. |
autodelete |
Whether anonymous users will be auto-deleted after a period of 30 days. |
monitoring |
Configuration related to monitoring project activity. |
password |
The tenant-level password policy config |
email |
Configuration for settings related to email privacy and public visibility. |
client |
Options related to how clients making requests on behalf of a project should be configured. |
HashConfig
History information of the hash algorithm and key. Different accounts' passwords may be generated by different version.
JSON representation |
---|
{
"algorithm": enum ( |
Fields | |
---|---|
algorithm |
Output only. Different password hash algorithms used in Identity Toolkit. |
signer |
Output only. Signer key in base64. |
salt |
Output only. Non-printable character to be inserted between the salt and plain text password in base64. |
rounds |
Output only. How many rounds for hash calculation. Used by scrypt and other similar password derivation algorithms. |
memory |
Output only. Memory cost for hash calculation. Used by scrypt and other similar password derivation algorithms. See https://tools.ietf.org/html/rfc7914 for explanation of field. |
HashAlgorithm
Different password hash algorithms used in Identity Toolkit.
Enums | |
---|---|
HASH_ALGORITHM_UNSPECIFIED |
Default value. Do not use. |
HMAC_SHA256 |
HMAC_SHA256 |
HMAC_SHA1 |
HMAC_SHA1 |
HMAC_MD5 |
HMAC_MD5 |
SCRYPT |
SCRYPT |
PBKDF_SHA1 |
PBKDF_SHA1 |
MD5 |
MD5 |
HMAC_SHA512 |
HMAC_SHA512 |
SHA1 |
SHA1 |
BCRYPT |
BCRYPT |
PBKDF2_SHA256 |
PBKDF2_SHA256 |
SHA256 |
SHA256 |
SHA512 |
SHA512 |
STANDARD_SCRYPT |
STANDARD_SCRYPT |
MultiFactorAuthConfig
Options related to MultiFactor Authentication for the project.
JSON representation |
---|
{ "state": enum ( |
Fields | |
---|---|
state |
Whether MultiFactor Authentication has been enabled for this project. |
enabled |
A list of usable second factors for this project. |
provider |
A list of usable second factors for this project along with their configurations. This field does not support phone based MFA, for that use the 'enabledProviders' field. |
State
Whether MultiFactor Authentication has been enabled for this project.
Enums | |
---|---|
STATE_UNSPECIFIED |
Illegal State, should not be used. |
DISABLED |
Multi-factor authentication cannot be used for this project |
ENABLED |
Multi-factor authentication can be used for this project |
MANDATORY |
Multi-factor authentication is required for this project. Users from this project must authenticate with the second factor. |
Provider
A list of usable second factors for this project.
Enums | |
---|---|
PROVIDER_UNSPECIFIED |
Illegal Provider, should not be used |
PHONE_SMS |
SMS is enabled as a second factor for this project. |
ProviderConfig
ProviderConfig describes the supported MFA providers along with their configurations.
JSON representation |
---|
{ "state": enum ( |
Fields | |
---|---|
state |
Describes the state of the MultiFactor Authentication type. |
Union field
|
|
totp |
TOTP MFA provider config for this project. |
TotpMfaProviderConfig
TotpMFAProviderConfig represents the TOTP based MFA provider.
JSON representation |
---|
{ "adjacentIntervals": integer } |
Fields | |
---|---|
adjacent |
The allowed number of adjacent intervals that will be used for verification to avoid clock skew. |
MfaState
Whether MultiFactor Authentication has been enabled for this project.
Enums | |
---|---|
MFA_STATE_UNSPECIFIED |
Illegal State, should not be used. |
DISABLED |
Multi-factor authentication cannot be used for this project. |
ENABLED |
Multi-factor authentication can be used for this project. |
MANDATORY |
Multi-factor authentication is required for this project. Users from this project must authenticate with the second factor. |
Inheritance
Settings that the tenants will inherit from project level.
JSON representation |
---|
{ "emailSendingConfig": boolean } |
Fields | |
---|---|
email |
Whether to allow the tenant to inherit custom domains, email templates, and custom SMTP settings. If true, email sent from tenant will follow the project level email sending configurations. If false (by default), emails will go with the default settings with no customizations. |
RecaptchaConfig
The reCAPTCHA Enterprise integration config.
JSON representation |
---|
{ "managedRules": [ { object ( |
Fields | |
---|---|
managed |
The managed rules for authentication action based on reCAPTCHA scores. The rules are shared across providers for a given tenant project. |
recaptcha |
The reCAPTCHA keys. |
toll |
The managed rules for the authentication action based on reCAPTCHA toll fraud risk scores. Toll fraud managed rules will only take effect when the phoneEnforcementState is AUDIT or ENFORCE and useSmsTollFraudProtection is true. |
email |
The reCAPTCHA config for email/password provider, containing the enforcement status. The email/password provider contains all email related user flows protected by reCAPTCHA. |
use |
Whether to use the account defender for reCAPTCHA assessment. Defaults to |
phone |
The reCAPTCHA config for phone provider, containing the enforcement status. The phone provider contains all SMS related user flows protected by reCAPTCHA. |
use |
Whether to use the rCE bot score for reCAPTCHA phone provider. Can only be true when the phoneEnforcementState is AUDIT or ENFORCE. |
use |
Whether to use the rCE sms toll fraud protection risk score for reCAPTCHA phone provider. Can only be true when the phoneEnforcementState is AUDIT or ENFORCE. |
RecaptchaProviderEnforcementState
Enforcement states for reCAPTCHA protection.
Enums | |
---|---|
RECAPTCHA_PROVIDER_ENFORCEMENT_STATE_UNSPECIFIED |
Enforcement state has not been set. |
OFF |
Unenforced. |
AUDIT |
reCAPTCHA assessment is created, result is not used to enforce. |
ENFORCE |
reCAPTCHA assessment is created, result is used to enforce. |
RecaptchaManagedRule
The config for a reCAPTCHA managed rule. Models a single interval [startScore, endScore]. The startScore is implicit. It is either the closest smaller endScore (if one is available) or 0. Intervals in aggregate span [0, 1] without overlapping.
JSON representation |
---|
{
"endScore": number,
"action": enum ( |
Fields | |
---|---|
end |
The end score (inclusive) of the score range for an action. Must be a value between 0.0 and 1.0, at 11 discrete values; e.g. 0, 0.1, 0.2, 0.3, ... 0.9, 1.0. A score of 0.0 indicates the riskiest request (likely a bot), whereas 1.0 indicates the safest request (likely a human). See https://cloud.google.com/recaptcha-enterprise/docs/interpret-assessment. |
action |
The action taken if the reCAPTCHA score of a request is within the interval [startScore, endScore]. |
RecaptchaAction
The actions for reCAPTCHA-protected requests.
Enums | |
---|---|
RECAPTCHA_ACTION_UNSPECIFIED |
The reCAPTCHA action is not specified. |
BLOCK |
The reCAPTCHA-protected request will be blocked. |
RecaptchaKey
The reCAPTCHA key config. reCAPTCHA Enterprise offers different keys for different client platforms.
JSON representation |
---|
{
"key": string,
"type": enum ( |
Fields | |
---|---|
key |
The reCAPTCHA Enterprise key resource name, e.g. "projects/{project}/keys/{key}" |
type |
The client's platform type. |
RecaptchaKeyClientType
The different clients that reCAPTCHA Enterprise keys support.
Enums | |
---|---|
CLIENT_TYPE_UNSPECIFIED |
Client type is not specified. |
WEB |
Client type is web. |
IOS |
Client type is iOS. |
ANDROID |
Client type is Android. |
RecaptchaTollFraudManagedRule
The config for a reCAPTCHA toll fraud assessment managed rule. Models a single interval [startScore, endScore]. The endScore is implicit. It is either the closest smaller endScore (if one is available) or 0. Intervals in aggregate span [0, 1] without overlapping.
JSON representation |
---|
{
"startScore": number,
"action": enum ( |
Fields | |
---|---|
start |
The start score (inclusive) for an action. Must be a value between 0.0 and 1.0, at 11 discrete values; e.g. 0, 0.1, 0.2, 0.3, ... 0.9, 1.0. A score of 0.0 indicates the safest request (likely legitimate), whereas 1.0 indicates the riskiest request (likely toll fraud). See https://cloud.google.com/recaptcha-enterprise/docs/sms-fraud-detection#create-assessment-sms. |
action |
The action taken if the reCAPTCHA score of a request is within the interval [startScore, endScore]. |
RecaptchaAction
Defaults to RECAPTCHA_ACTION_UNSPECIFIED
Enums | |
---|---|
RECAPTCHA_ACTION_UNSPECIFIED |
The reCAPTCHA action is not specified. |
BLOCK |
The reCAPTCHA-protected request will be blocked. |
SmsRegionConfig
Configures the regions where users are allowed to send verification SMS for the project or tenant. This is based on the calling code of the destination phone number.
JSON representation |
---|
{ // Union field |
Fields | |
---|---|
Union field sms_region_policy . A policy for where users are allowed to send verification SMS. This can be to allow all regions by default or to allow regions only by explicit allowlist. sms_region_policy can be only one of the following: |
|
allow |
A policy of allowing SMS to every region by default and adding disallowed regions to a disallow list. |
allowlist |
A policy of only allowing regions by explicitly adding them to an allowlist. |
AllowByDefault
Defines a policy of allowing every region by default and adding disallowed regions to a disallow list.
JSON representation |
---|
{ "disallowedRegions": [ string ] } |
Fields | |
---|---|
disallowed |
Two letter unicode region codes to disallow as defined by https://cldr.unicode.org/ The full list of these region codes is here: https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json |
AllowlistOnly
Defines a policy of only allowing regions by explicitly adding them to an allowlist.
JSON representation |
---|
{ "allowedRegions": [ string ] } |
Fields | |
---|---|
allowed |
Two letter unicode region codes to allow as defined by https://cldr.unicode.org/ The full list of these region codes is here: https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json |
MonitoringConfig
Configuration related to monitoring project activity.
JSON representation |
---|
{
"requestLogging": {
object ( |
Fields | |
---|---|
request |
Configuration for logging requests made to this project to Stackdriver Logging |
RequestLogging
Configuration for logging requests made to this project to Stackdriver Logging
JSON representation |
---|
{ "enabled": boolean } |
Fields | |
---|---|
enabled |
Whether logging is enabled for this project or not. |
PasswordPolicyConfig
The configuration for the password policy on the project.
JSON representation |
---|
{ "passwordPolicyEnforcementState": enum ( |
Fields | |
---|---|
password |
Which enforcement mode to use for the password policy. |
password |
Must be of length 1. Contains the strength attributes for the password policy. |
force |
Users must have a password compliant with the password policy to sign-in. |
last |
Output only. The last time the password policy on the project was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
PasswordPolicyEnforcementState
Enforcement state for the password policy
Enums | |
---|---|
PASSWORD_POLICY_ENFORCEMENT_STATE_UNSPECIFIED |
Illegal State, should not be used. |
OFF |
Password Policy will not be used on the project. |
ENFORCE |
Passwords non-compliant with the password policy will be rejected with an error thrown. |
PasswordPolicyVersion
The strength attributes for the password policy on the project.
JSON representation |
---|
{
"customStrengthOptions": {
object ( |
Fields | |
---|---|
custom |
The custom strength options enforced by the password policy. |
schema |
Output only. schema version number for the password policy |
CustomStrengthOptions
Custom strength options to enforce on user passwords.
JSON representation |
---|
{ "minPasswordLength": integer, "maxPasswordLength": integer, "containsLowercaseCharacter": boolean, "containsUppercaseCharacter": boolean, "containsNumericCharacter": boolean, "containsNonAlphanumericCharacter": boolean } |
Fields | |
---|---|
min |
Minimum password length. Range from 6 to 30 |
max |
Maximum password length. No default max length |
contains |
The password must contain a lower case character. |
contains |
The password must contain an upper case character. |
contains |
The password must contain a number. |
contains |
The password must contain a non alpha numeric character. |
EmailPrivacyConfig
Configuration for settings related to email privacy and public visibility. Settings in this config protect against email enumeration, but may make some trade-offs in user-friendliness.
JSON representation |
---|
{ "enableImprovedEmailPrivacy": boolean } |
Fields | |
---|---|
enable |
Migrates the project to a state of improved email privacy. For example certain error codes are more generic to avoid giving away information on whether the account exists. In addition, this disables certain features that as a side-effect allow user enumeration. Enabling this toggle disables the fetchSignInMethodsForEmail functionality and changing the user's email to an unverified email. It is recommended to remove dependence on this functionality and enable this toggle to improve user privacy. |
ClientPermissionConfig
Options related to how clients making requests on behalf of a tenant should be configured.
JSON representation |
---|
{
"permissions": {
object ( |
Fields | |
---|---|
permissions |
Configuration related to restricting a user's ability to affect their account. |
ClientPermissions
Configuration related to restricting a user's ability to affect their account.
JSON representation |
---|
{ "disabledUserSignup": boolean, "disabledUserDeletion": boolean } |
Fields | |
---|---|
disabled |
When true, end users cannot sign up for a new account on the associated project through any of our API methods |
disabled |
When true, end users cannot delete their account on the associated project through any of our API methods |
Methods |
|
---|---|
|
Create a tenant. |
|
Delete a tenant. |
|
Get a tenant. |
|
Gets the access control policy for a resource. |
|
List tenants under the given agent project. |
|
Update a tenant. |
|
Sets the access control policy for a resource. |
|
Returns the caller's permissions on a resource. |