The user_id is the identifier of the user at the Identity Provider (IDP).
The user_id field in the Identity Toolkit ID Token is a global identifier, unique across all IDPs, for this user, in the context of your site or app. It is not shared with other sites or apps which use Identity Toolkit. In other words, Identity Toolkit does not provide a global identifier across different developers (relying parties).
When a user signs in successfully on a Identity Toolkit-enabled site, Identity Toolkit’s widgets set a cookie named “gtoken”. It is a JSON Web Token (JWT), a cryptographically-signed JSON object encoded in base 64. The Identity Toolkit JWT is very similar to an OpenID Connect ID token and we will refer to this as the Identity Toolkit ID Token.
An ID Token is a JWT containing a set of name/value pairs. Here’s an example:
{
"iss" : "https://identitytoolkit.google.com/",
"user_id" : 829A8CD24E,
"aud" : "622215261071.apps.googleusercontent.com",
"provider_id" : "google.com",
"iat" : 1408553860,
"exp" : 1409763460,
"email" : "jsmith@example.com",
"verified": "true"
}
The fields used by Identity Toolkit are:
| Parameter | Present? | Description |
|---|---|---|
| iss | always | The Issuer Identifier for the Issuer of the response. This will always be "https://identitytoolkit.google.com/". |
| user_id | always | The user’s local ID on your site. Identity Toolkit will generate new user_id numbers once you begin to use it for new user sign-ups. |
| aud | always | Identifies the audience that this ID Token is intended for. It must be one of the OAuth 2.0 Client IDs of your application. |
| provider_id | sometimes | The base URL of the identity provider. |
| iat | always | An integer giving the time the ID token was issued, in seconds since the beginning of 1970, UTC. |
| exp | always | An integer giving the time the ID Token expires, in seconds since the beginning of 1970, UTC. |
| sometimes | The user’s email address. This may not be unique and is not suitable for use as a primary key. | |
| verified | sometimes | True if the user's e-mail address has been verified; otherwise false. If the user goes through the Identity Toolkit email recovery flow and activates the URL, Identity Toolkit will mark this as verified. |