FusionAuth developer image
FusionAuth developer logo
  • Back to site
  • Expert Advice
  • Blog
  • Developers
  • Downloads
  • Account
  • Contact sales
Navigate to...
  • Welcome
  • Getting Started
    • Getting Started
    • 5-Minute Setup Guide
    • Setup Wizard & First Login
    • Register a User and Login
    • Self-service Registration
    • Start and Stop FusionAuth
    • Core Concepts
      • Overview
      • Users
      • Roles
      • Groups
      • Registrations
      • Applications
      • Tenants
      • Identity Providers
      • Authentication/Authorization
      • Integration Points
    • Example Apps
      • Overview
      • Dart
      • Go
      • Java
      • JavaScript
      • .NET Core
      • PHP
      • Python
      • Ruby
    • Tutorials
  • Installation Guide
    • Overview
    • System Requirements
    • Server Layout
    • Cloud
    • Cluster
    • Docker
    • Fast Path
    • Kubernetes
      • Overview
      • Deployment Guide
      • Minikube Setup
      • Amazon EKS Setup
      • Google GKE Setup
      • Microsoft AKS Setup
    • Kickstart™
    • Homebrew
    • Packages
    • Database
    • FusionAuth App
    • FusionAuth Search
    • Common Configuration
  • Migration Guide
    • Overview
    • General
    • Auth0
    • Keycloak
    • Amazon Cognito
    • Firebase
    • Tutorial
  • Admin Guide
    • Overview
    • Account Portal
    • Config Management
    • Editions and Features
    • Key Rotation
    • Licensing
    • Monitoring
    • Prometheus Setup
    • Proxy Setup
    • Reference
      • Overview
      • Configuration
      • CORS
      • Data Types
      • Hosted Login Pages Cookies
      • Known Limitations
      • Password Hashes
    • Roadmap
    • Securing
    • Switch Search Engines
    • Technical Support
    • Troubleshooting
    • Upgrading
  • Login Methods
    • Identity Providers
      • Overview
      • Apple
      • Epic Games
      • External JWT
        • Overview
        • Example
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
        • Overview
        • Azure AD
        • Discord
        • Github
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • SAML v2
        • Overview
        • ADFS
      • SAML v2 IdP Initiated
        • Overview
        • Okta
      • Xbox
    • OIDC & OAuth 2.0
      • Overview
      • Endpoints
      • Tokens
    • SAML v2 IdP
      • Overview
      • Google
      • Zendesk
  • Developer Guide
    • Authentication Tokens
    • Client Libraries
      • Overview
      • Dart
      • Go
      • Java
      • JavaScript
      • .NET Core
      • Node
      • OpenAPI
      • PHP
      • Python
      • Ruby
      • Typescript
    • Events & Webhooks
      • Overview
      • Writing a Webhook
      • Securing Webhooks
      • Events
        • Overview
        • Audit Log Create
        • Event Log Create
        • JWT Public Key Update
        • JWT Refresh
        • JWT Refresh Token Revoke
        • Kickstart Success
        • User Action
        • User Bulk Create
        • User Create
        • User Create Complete
        • User Deactivate
        • User Delete
        • User Delete Complete
        • User Email Update
        • User Email Verified
        • User IdP Link
        • User IdP Unlink
        • User Login Failed
        • User Login Id Dup. Create
        • User Login Id Dup. Update
        • User Login New Device
        • User Login Success
        • User Login Suspicious
        • User Password Breach
        • User Password Reset Send
        • User Password Reset Start
        • User Password Reset Success
        • User Password Update
        • User Reactivate
        • User Reg. Create
        • User Reg. Create Complete
        • User Reg. Delete
        • User Reg. Delete Complete
        • User Registration Update
        • User Reg. Update Complete
        • User Reg. Verified
        • User 2FA Method Add
        • User 2FA Method Remove
        • User Update
        • User Update Complete
    • Guides
      • Overview
      • Advanced Registration Forms
      • Breached Password Detection
      • Multi-Factor Authentication
      • Multi-Tenant
      • Passwordless
      • Securing Your APIs
      • Silent Mode
      • Single Sign-on
    • Integrations
      • Overview
      • CleanSpeak
      • Kafka
      • Twilio
    • JSON Web Tokens
    • Key Master
    • Localization and Internationalization
    • Plugins
      • Overview
      • Writing a Plugin
      • Custom Password Hashing
    • Search And FusionAuth
    • Two Factor (pre 1.26)
    • User Control & Gating
      • Gate Unverified Users
      • Gate Unverified Registrations
      • User Account Lockout
  • Customization
    • Email & Templates
      • Overview
      • Configure Email
      • Email Templates
      • Email Variables
      • Message Templates
    • Lambdas
      • Overview
      • Apple Reconcile
      • Client Cred. JWT Populate
      • Epic Games Reconcile
      • External JWT Reconcile
      • Facebook Reconcile
      • Google Reconcile
      • HYPR Reconcile
      • JWT Populate
      • LDAP Connector Reconcile
      • LinkedIn Reconcile
      • Nintendo Reconcile
      • OpenID Connect Reconcile
      • SAML v2 Populate
      • SAML v2 Reconcile
      • SCIM Group Req. Converter
      • SCIM Group Resp. Convtr.
      • SCIM User Req. Converter
      • SCIM User Resp. Converter
      • Sony PSN Reconcile
      • Steam Reconcile
      • Twitch Reconcile
      • Twitter Reconcile
      • Xbox Reconcile
    • Messengers
      • Overview
      • Generic Messenger
      • Kafka Messenger
      • Twilio Messenger
    • Themes
      • Overview
      • Examples
      • Helpers
      • Localization
      • Template Variables
  • Premium Features
    • Advanced Threat Detection
    • Connectors
      • Overview
      • Generic Connector
      • LDAP Connector
      • FusionAuth Connector
    • Entity Management
    • SCIM
      • Overview
      • SCIM-SDK Example
    • Self Service Account Mgmt
      • Overview
      • Updating User Data & Password
      • Add Two-Factor Authenticator
      • Add Two-Factor Email
      • Add Two-Factor SMS
      • Customizing
      • Troubleshooting
  • APIs
    • Overview
    • Authentication
    • Errors
    • Actioning Users
    • API Keys
    • Applications
    • Audit Logs
    • Connectors
      • Overview
      • Generic
      • LDAP
    • Consents
    • Emails
    • Entity Management
      • Overview
      • Entities
      • Entity Types
      • Grants
    • Event Logs
    • Families
    • Forms
    • Form Fields
    • Groups
    • Identity Providers
      • Overview
      • Links
      • Apple
      • External JWT
      • Epic Games
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
      • SAML v2
      • SAML v2 IdP Initiated
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • Xbox
    • Integrations
    • IP Access Control Lists
    • JWT
    • Keys
    • Lambdas
    • Login
    • Message Templates
    • Messengers
      • Overview
      • Generic
      • Kafka
      • Twilio
    • Multi-Factor/Two Factor
    • Passwordless
    • Reactor
    • Registrations
    • Reports
    • SCIM
      • Overview
      • SCIM EnterpriseUser
      • SCIM Group
      • SCIM Service Provider Config.
      • SCIM User
    • System
    • Tenants
    • Themes
    • Users
    • User Actions
    • User Action Reasons
    • User Comments
    • Webhooks
  • Release Notes

    Google Identity Provider

    Overview

    Adding a Login with Google button to FusionAuth is straightforward, and this guide will walk you through the steps necessary to collect the credentials from Google in order to enable this Social login.

    • Create a Google Cloud Account

    • Create Google OAuth client credentials

    • Create a Google Identity Provider

    • Building Your Own Integration


    Once you have completed this configuration you will be able to enable the Google login button for one or more FusionAuth Applications. Below is an example login page with the Google Identity Provider enabled.

    Google Login

    Create a Google Cloud Account

    Ensure you have a Google login, and then navigate to the Google Cloud console.

    • https://console.cloud.google.com

    Create Google OAuth client credentials

    In the Google Cloud console, find the APIs & Services Credentials by navigating to APIs and Services → Credentials.

    If you are prompted to select or create a project, do that now. In the following example I will need to create my first project before I can create credentials. I will call the project Pied Piper.

    Create Google Cloud Project

    Now that you have selected or created your first project, click on Create credentials and select OAuth client ID.

    Create Credentials

    If you see an alert indicating you first need to configure the content screen, do that now by clicking on Configure consent screen.

    Configure Consent

    You will be prompted to define a consent type, typically External.

    Configure Consent

    On this panel, you will need to fill out the required fields and then click Save.

    In this example I have set the following fields.

    • Application name

    • User support email (not shown)

    • App logo (not shown)

    • Authorized domains

    • Application Homepage link

    • Application Privacy Policy link

    • Application Terms of Service link

    • Developer contact information

    Configure Consent Screen

    Once this is complete Google will direct you to complete or update scopes. It is typical to select userinfo.email and userinfo.profile as well as openid, but feel free to enable any you would like. These same scopes should be referenced in the IdP configuration in FusionAuth, which is configured later in this process.

    Configure Google Scopes

    Now you may return to the Credential section, click on Create credentials and select OAuth client ID.

    How you configure this panel depends on the type of login method interaction used. In this example I have specified https://login.piedpiper.com because this is the URL of FusionAuth for Pied Piper.

    If using a redirect method, add an Authorized redirect URI. This should be an absolute URL. For example, if FusionAuth is installed at login.piedpiper.com, the value would be https://login.pipedpiper.com/oauth2/callback/.

    If using a popup, select Web application, specify the name of the credential and fill out the Authorized JavaScript origins field. This value should be the origin of your application login page.

    In the image below, we are showcasing details needed for both the popup login method (added an origin) and the redirect url. In the real world you will fill in either option, but not both (depending on your business needs).

    Create OAuth Client credentials

    Now you have completed creating a Google OAuth client credential. If you select the newly created credential, you will be provided with the Client ID and Client secret necessary for the next step.

    OAuth Client credentials

    Create a Google Identity Provider

    The last step will be to create a Google Identity Provider in FusionAuth. To create an Identity Provider navigate to Settings → Identity Providers and click the menu in the upper right corner and select Add Google.

    This will take you to the Add Google panel, and you’ll fill out the Client Id and Client secret required fields using the values found in the Google Cloud console. The button text is also required but it will be defaulted to Login with Google, you may optionally modify this default value.

    To enable this identity provider for an application, find your application name in the Applications configuration section at the bottom of this panel. You will always see the FusionAuth application, this application represents the FusionAuth administrative user interface. If you wish to be able to log into FusionAuth with this provider, you may enable this application.

    In the following screenshot you will see that we have enabled this login provider for the Pied Piper application and enabled Create registration. Enabling create registration means that a user does not need to be manually registered for the application prior to using this login provider.

    For example, when a new user attempts to log into Pied Piper using Google, if their user does not exist in FusionAuth it will be created dynamically, and if the Create registration toggle has been enabled, the user will also be registered for Pied Piper and assigned any default roles assigned by the application.

    If you do not wish to automatically provision a user for this Application when logging in with Google, leave Create registration off. You will need to manually register a user for this application before they may Sign in with Google.

    That’s it, now the Sign in with Google button will show up on the login page for the Pied Piper application.

    Add Google

    Form Fields

    Client Id Required

    The Google Client Id found in your Google credentials settings in the Client ID field.

    Client secret Required

    The Google Client Secret found in your Google credentials settings in the Client secret field.

    Button text Required

    The text to be displayed in the button on the login form. This value is defaulted to Login with Google but it may be modified to your preference.

    Login Method Optional

    User interaction behavior after clicking on the IdP button (Login with Google, for instance).

    • Use redirect for login - if selected, the user is redirected to a Google login page. Once authenticated, the user is redirected back to FusionAuth. If selected, the redirect URL must be set to an absolute URL in the Google console for your application. If your hostname is login.piedpiper.com, the redirect URL would be https://login.piedpiper.com/oauth2/callback/.

    • Use popup for login - if selected, a popup is displayed to the user to login with google. Once authenticated, the window is closed. If selected, the Authorized JavaScript origins URL must be allowed for your host name in the Google console for your application. For example, https://login.piedpiper.com.

      Please note if an idp_hint is appended to the OAuth Authorize endpoint, then the interaction behavior will be redirect, even if popup interaction is explicitly configured.

    Scope Optional

    This optional field defines the scope you’re requesting from the user during login. See the Google login documentation for further information. Three common scopes to include are email profile, and openid.

    Linking strategy Optional defaults to Link on email. Create the user if they do not exist

    The linking strategy for the Google FusionAuth Identity Provider. See Linking Strategies for more.

    Reconcile lambda Optional Available since 1.17.0

    A lambda may be utilized to map custom claims returned from Google.

    To configure a lambda, navigate to Settings → Lambdas.

    Debug enabled Optional defaults to false

    Enable debug to create an event log to assist you in debugging integration errors.

    Building Your Own Integration

    If you are building your own login experience, you’ll want to start the identity provider flow yourself and then complete the login.

    You might do this if you are using the Login API rather than using the hosted FusionAuth login pages.

    Completing the login is documented further in the API.

    If you require a refresh token after completing the login, ensure Enable JWT Refresh is true in the application configuration. This is found in the administrative user interface by navigating to Applications → Your Application → Security → Login API settings.

    Feedback

    How helpful was this page?

    See a problem?

    File an issue in our docs repo

    © 2022 FusionAuth
    Subscribe for developer updates