Verifies the assertion returned by the IdP.
Request
HTTP request
POST https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyAssertion
Request body
In the request body, supply data with the following structure:
{ "requestUri": string, "postBody": string, "pendingIdToken": string }
Property name | Value | Description | Notes |
---|---|---|---|
requestUri |
string |
The URI to which the IDP redirects the user back. It may contain federated login result params added by the IDP. | |
postBody |
string |
The post body if the request is a HTTP POST. | |
pendingIdToken |
string |
The GITKit token for the non-trusted IDP pending to be confirmed by the user. |
Response
If successful, this method returns a response body with the following structure:
{ "kind": "identitytoolkit#VerifyAssertionResponse", "federatedId": string, "providerId": string, "localId": string, "emailRecycled": boolean, "emailVerified": boolean, "email": string, "inputEmail": string, "originalEmail": string, "oauthRequestToken": string, "oauthScope": string, "firstName": string, "lastName": string, "fullName": string, "nickName": string, "displayName": string, "idToken": string, "action": string, "language": string, "timeZone": string, "photoUrl": string, "dateOfBirth": string, "context": string, "verifiedProvider": [ string ], "needConfirmation": boolean }
Property name | Value | Description | Notes |
---|---|---|---|
kind |
string |
The fixed string "identitytoolkit#VerifyAssertionResponse". | |
federatedId |
string |
The unique ID identifies the IdP account. | |
providerId |
string |
The IdP ID. For white listed IdPs it's a short domain name e.g. google.com, aol.com, live.net and yahoo.com. If the "providerId" param is set to OpenID OP identifer other than the whilte listed IdPs the OP identifier is returned. If the "identifier" param is federated ID in the createAuthUri request. The domain part of the federated ID is returned. | |
localId |
string |
The RP local ID if it's already been mapped to the IdP account identified by the federated ID. | |
emailRecycled |
boolean |
It's true if the email is recycled. | |
emailVerified |
boolean |
The value is true if the IDP is also the email provider. It means the user owns the email. | |
email |
string |
The email returned by the IdP. NOTE: The federated login user may not own the email. | |
inputEmail |
string |
It's the identifier param in the createAuthUri request if the identifier is an email. It can be used to check whether the user input email is different from the asserted email. | |
originalEmail |
string |
The original email stored in the mapping storage. It's returned when the federated ID is associated to a different email. | |
oauthRequestToken |
string |
The user approved request token for the OpenID OAuth extension. | |
oauthScope |
string |
The scope for the OpenID OAuth extension. | |
firstName |
string |
The first name of the user. | |
lastName |
string |
The last name of the user. | |
fullName |
string |
The full name of the user. | |
nickName |
string |
The nick name of the user. | |
displayName |
string |
The display name of the user. | |
idToken |
string |
The ID token. | |
action |
string |
The action code. | |
language |
string |
The language preference of the user. | |
timeZone |
string |
The timezone of the user. | |
dateOfBirth |
string |
The birth date of the IdP account. | |
context |
string |
The opaque value used by the client to maintain context info between the authentication request and the IDP callback. | |
verifiedProvider[] |
list |
When action is 'map', contains the idps which can be used for confirmation. | |
photoUrl |
string |
The URI of the public accessible profiel picture. | |
needConfirmation |
boolean |
Whether the assertion is from a non-trusted IDP and need account linking confirmation. | |
appInstallationUrl |
|
||
appScheme |
|