feat(auth): Implemented tenant management APIs (#311)

* Added Tenant, TenantClient and TenantManager types (#287)

* Added user management APIs to the TenantClient (#288)

* Added IdP config management APIs to TenantClient (#290)

* Added baseClient type (#291)

* Exposing ID token verification APIs from TenantClient (#296)

* Added JWT verification APIs to TenantClient

* Removed SessionCookie() and related APIs from TenantClient

* Minor simplification

* Added Tenant() and DeleteTenant() APIs (#300)

* Added CreateTenant() and UpdateTenant() APIs (#303)

* Added Tenants() function to iterate over tenants (#304)

* Adding integration tests (#305)

* Adding integration tests

* Added license header

* Removing go1.9 from the CI config; This is already done in the dev branch. Needed to do it here for the CI to pass with the latest deps.

* More integration tests for tenant management support (#306)

* Added more integration tests

* Added SAML and OIDC integration tests

* Added ImportUsers integration test

* Updated ID token verification test

Author: hiranya911

auth/auth.go

@@ -21,6 +21,7 @@ import (
 	"errors"
 	"fmt"
 	"strings"
+	"time"
 
 	"firebase.google.com/go/internal"
 	"google.golang.org/api/transport"
@@ -41,12 +42,10 @@ var reservedClaims = []string{
 // Client facilitates generating custom JWT tokens for Firebase clients, and verifying ID tokens issued
 // by Firebase backend services.
 type Client struct {
-	*userManagementClient
-	*providerConfigClient
-	idTokenVerifier *tokenVerifier
-	cookieVerifier  *tokenVerifier
-	signer          cryptoSigner
-	clock           internal.Clock
+	*baseClient
+	TenantManager *TenantManager
+	signer        cryptoSigner
+	clock         internal.Clock
 }
 
 // NewClient creates a new instance of the Firebase Auth Client.
@@ -99,13 +98,17 @@ func NewClient(ctx context.Context, conf *internal.AuthConfig) (*Client, error)
 		return nil, err
 	}
 
-	return &Client{
+	base := &baseClient{
 		userManagementClient: newUserManagementClient(hc, conf),
 		providerConfigClient: newProviderConfigClient(hc, conf),
 		idTokenVerifier:      idTokenVerifier,
 		cookieVerifier:       cookieVerifier,
-		signer:               signer,
-		clock:                internal.SystemClock,
+	}
+	return &Client{
+		baseClient:    base,
+		signer:        signer,
+		clock:         internal.SystemClock,
+		TenantManager: newTenantManager(hc, conf, base),
 	}, nil
 }
 
@@ -172,21 +175,62 @@ func (c *Client) CustomTokenWithClaims(ctx context.Context, uid string, devClaim
 	return info.Token(ctx, c.signer)
 }
 
+// SessionCookie creates a new Firebase session cookie from the given ID token and expiry
+// duration. The returned JWT can be set as a server-side session cookie with a custom cookie
+// policy. Expiry duration must be at least 5 minutes but may not exceed 14 days.
+func (c *Client) SessionCookie(
+	ctx context.Context,
+	idToken string,
+	expiresIn time.Duration,
+) (string, error) {
+	return c.baseClient.userManagementClient.createSessionCookie(ctx, idToken, expiresIn)
+}
+
 // Token represents a decoded Firebase ID token.
 //
 // Token provides typed accessors to the common JWT fields such as Audience (aud) and Expiry (exp).
 // Additionally it provides a UID field, which indicates the user ID of the account to which this token
 // belongs. Any additional JWT claims can be accessed via the Claims map of Token.
 type Token struct {
+	AuthTime int64                  `json:"auth_time"`
 	Issuer   string                 `json:"iss"`
 	Audience string                 `json:"aud"`
 	Expires  int64                  `json:"exp"`
 	IssuedAt int64                  `json:"iat"`
 	Subject  string                 `json:"sub,omitempty"`
 	UID      string                 `json:"uid,omitempty"`
+	Firebase FirebaseInfo           `json:"firebase"`
 	Claims   map[string]interface{} `json:"-"`
 }
 
+// FirebaseInfo represents the information about the sign-in event, including which auth provider
+// was used and provider-specific identity details.
+//
+// This data is provided by the Firebase Auth service and is a reserved claim in the ID token.
+type FirebaseInfo struct {
+	SignInProvider string                 `json:"sign_in_provider"`
+	Tenant         string                 `json:"tenant"`
+	Identities     map[string]interface{} `json:"identities"`
+}
+
+type baseClient struct {
+	*userManagementClient
+	*providerConfigClient
+	idTokenVerifier *tokenVerifier
+	cookieVerifier  *tokenVerifier
+	tenantID        string
+}
+
+func (c *baseClient) withTenantID(tenantID string) *baseClient {
+	return &baseClient{
+		userManagementClient: c.userManagementClient.withTenantID(tenantID),
+		providerConfigClient: c.providerConfigClient.withTenantID(tenantID),
+		idTokenVerifier:      c.idTokenVerifier,
+		cookieVerifier:       c.cookieVerifier,
+		tenantID:             tenantID,
+	}
+}
+
 // VerifyIDToken verifies the signature	and payload of the provided ID token.
 //
 // VerifyIDToken accepts a signed JWT token string, and verifies that it is current, issued for the
@@ -201,8 +245,13 @@ type Token struct {
 //
 // This does not check whether or not the token has been revoked. Use `VerifyIDTokenAndCheckRevoked()`
 // when a revocation check is needed.
-func (c *Client) VerifyIDToken(ctx context.Context, idToken string) (*Token, error) {
-	return c.idTokenVerifier.VerifyToken(ctx, idToken)
+func (c *baseClient) VerifyIDToken(ctx context.Context, idToken string) (*Token, error) {
+	decoded, err := c.idTokenVerifier.VerifyToken(ctx, idToken)
+	if err == nil && c.tenantID != "" && c.tenantID != decoded.Firebase.Tenant {
+		return nil, internal.Errorf(tenantIDMismatch, "invalid tenant id: %q", decoded.Firebase.Tenant)
+	}
+
+	return decoded, err
 }
 
 // VerifyIDTokenAndCheckRevoked verifies the provided ID token, and additionally checks that the
@@ -212,20 +261,20 @@ func (c *Client) VerifyIDToken(ctx context.Context, idToken string) (*Token, err
 // `VerifyIDToken()` this function must make an RPC call to perform the revocation check.
 // Developers are advised to take this additional overhead into consideration when including this
 // function in an authorization flow that gets executed often.
-func (c *Client) VerifyIDTokenAndCheckRevoked(ctx context.Context, idToken string) (*Token, error) {
-	p, err := c.VerifyIDToken(ctx, idToken)
+func (c *baseClient) VerifyIDTokenAndCheckRevoked(ctx context.Context, idToken string) (*Token, error) {
+	decoded, err := c.VerifyIDToken(ctx, idToken)
 	if err != nil {
 		return nil, err
 	}
 
-	revoked, err := c.checkRevoked(ctx, p)
+	revoked, err := c.checkRevoked(ctx, decoded)
 	if err != nil {
 		return nil, err
 	}
 	if revoked {
 		return nil, internal.Error(idTokenRevoked, "ID token has been revoked")
 	}
-	return p, nil
+	return decoded, nil
 }
 
 // VerifySessionCookie verifies the signature and payload of the provided Firebase session cookie.
@@ -253,22 +302,22 @@ func (c *Client) VerifySessionCookie(ctx context.Context, sessionCookie string)
 // Developers are advised to take this additional overhead into consideration when including this
 // function in an authorization flow that gets executed often.
 func (c *Client) VerifySessionCookieAndCheckRevoked(ctx context.Context, sessionCookie string) (*Token, error) {
-	p, err := c.VerifySessionCookie(ctx, sessionCookie)
+	decoded, err := c.VerifySessionCookie(ctx, sessionCookie)
 	if err != nil {
 		return nil, err
 	}
 
-	revoked, err := c.checkRevoked(ctx, p)
+	revoked, err := c.checkRevoked(ctx, decoded)
 	if err != nil {
 		return nil, err
 	}
 	if revoked {
 		return nil, internal.Error(sessionCookieRevoked, "session cookie has been revoked")
 	}
-	return p, nil
+	return decoded, nil
 }
 
-func (c *Client) checkRevoked(ctx context.Context, token *Token) (bool, error) {
+func (c *baseClient) checkRevoked(ctx context.Context, token *Token) (bool, error) {
 	user, err := c.GetUser(ctx, token.UID)
 	if err != nil {
 		return false, err