Google Identity Provider

Overview

Adding a Login with Google button to FusionAuth is simple, and this guide will walk you through the steps necessary to collect the credentials from Google in order to enable this Social login.


Once you have completed this configuration you will be able to enable the Google login button for one or more FusionAuth Applications. Below is an example login page with the Google Identity Provider enabled.

Google Login

Create a Google Cloud Account

Ensure you have a Google login, and then navigate to the Google Cloud console.

Create Google OAuth client credentials

In the Google Cloud console, find the APIs & Services Credentials by navigating to APIs and Services → Credentials.

If you are prompted to select or create a project, do that now. In the following example I will need to create my first project before I can create credentials. I will call the project Pied Piper.

Create Google Cloud Project

Now that you have selected or created your first project, click on Create credentials and select OAuth client ID.

Create Credentials

If you see an alert indicating you first need to configure the content screen, do that now by clicking on Configure consent screen.

Configure Consent

On this panel, you will need to fill out the required fields and then click Save. Once this is complete you may return the Credentials tab to complete creating the OAuth credentials.

In this example I have set the following fields.

  • Application name

  • Authorized domains

  • Application Homepage link

  • Application Privacy Policy link

  • Application Terms of Service link

Configure Consent Screen

Now you may return to the Credential section, click on Create credentials and select OAuth client ID.

On this panel, select Web application, specify the name of the credential and fill out the Authorized JavaScript origins field. This value should be the origin of your application login page. In this example I have specified https://login.piedpiper.com because this is the URL of FusionAuth for Pied Piper.

Create OAuth Client credentials

Now you have completed creating a Google OAuth client credential. If you select the newly created credential, you will be provided with the Client ID and Client secret necessary for the next step.

OAuth Client credentials

Create a Google Identity Provider

The last step will be to create a Google Identity Provider in FusionAuth. To create an Identity Provider navigate to Settings → Identity Providers and click Add provider and select Google from the dialog.

This will take you to the Add Google panel, and you’ll fill out the Client Id and Client secret required fields using the values found in the Google Cloud console. The button text is also required but it will be defaulted to Login with Google, you may optionally modify this default value.

To enable this identity provider for an application, find your application name in the Applications configuration section at the bottom of this panel. You will always see the FusionAuth application, this application represents the FusionAuth user interface. If you wish to be able to log into FusionAuth with this provider you may enable this application.

In the following screenshot you will see that we have enabled this login provider for the Pied Piper application and enabled Create registration. Enabling create registration means that a user does not need to be manually registered for the application prior to using this login provider.

For example, when a new user attempts to log into Pied Piper using Google, if their user does not exist in FusionAuth it will be created dynamically, and if the Create registration toggle has been enabled, the user will also be registered for Pied Piper and assigned any default roles assigned by the application.

If you do not wish to automatically provision a user for this Application when logging in with Google, leave Create registration off and you will need to manually register a user for this application before they may complete login with Google.

That’s it, now the Login with Google button will show up on the login page for Pied Piper.

Add Google

Form Fields

Client Id Required

The Google Client Id found in your Google credentials settings in the Client ID field.

Client secret Required

The Google Client Secret found in your Google credentials settings in the Client secret field.

Button text Required

The text to be displayed in the button on the login form. This value is defaulted to Login with Google but it may be modified to your preference.

Scope Optional

This optional field defines the scope you’re requesting from the user during login. See the Google login documentation for further information.

Reconcile lambda Optional Available since 1.17.0

A lambda may be utilized to map custom claims returned from Google.

To configure a lambda, navigate to Settings → Lambdas.

Debug enabled Optional defaults to false

Enable debug to create an event log to assist you in debugging integration errors.

Building Your Own Integration

If you are building your own login experience, you’ll want to start the identity provider flow yourself and then complete the login.

You might do this if you are using the Login API rather than using the hosted FusionAuth login pages.

Completing the login is documented further in the API.