Google Identity Provider
Adding a Login with Google button to FusionAuth is straightforward, and this guide will walk you through the steps necessary to collect the credentials from Google in order to enable this Social login.
Once you have completed this configuration you will be able to enable the Google login button for one or more FusionAuth Applications. Below is an example login page with the Google Identity Provider enabled.
Create a Google Cloud Account
Ensure you have a Google login, and then navigate to the Google Cloud console.
Create Google OAuth client credentials
In the Google Cloud console, find the APIs & Services Credentials by navigating to.
If you are prompted to select or create a project, do that now. In the following example I will need to create my first project before I can create credentials. I will call the project
Now that you have selected or created your first project, navigate to OAuth client ID.and then click on and select
If you see an alert indicating you first need to configure the content screen, do that now by clicking on.
You will be prompted to define a consent type, typically External. Click
On this panel, you will need to fill out the required fields and then click
In this example I have set the following fields.
User support email (not shown)
App logo (not shown)
Application Homepage link
Application Terms of Service link
Developer contact information (not shown)
Once this is complete, you can add or update scopes by clicking on the
Add or remove scopes button. It is typical to select
userinfo.profile as well as
openid, but feel free to enable any you would like.
These same scopes should be referenced in the IdP configuration in FusionAuth, which is configured later in this process.
Save and continue after optionally adding any test users.
Navigate to OAuth client ID.and then click on and select
How you configure this panel depends on the type of login method interaction used. In this example I have specified
https://login.piedpiper.com because this is the URL of FusionAuth for Pied Piper.
If using a redirect method, add an Authorized redirect URI. This should be an absolute URL. For example, if FusionAuth is installed at login.piedpiper.com, the value would be
If using a popup, select
Web application, specify the name of the credential and fill out the
In the image below, we are showcasing details needed for both the popup login method (added an origin) and the redirect url. In the real world you will fill in either option, but not both (depending on your business needs).
Now you have completed creating a Google OAuth client credential. If you select the newly created credential, you will be provided with the
Client ID and
Client secret necessary for the next step.
Create a Google Identity Provider
The last step will be to create a Google Identity Provider in FusionAuth. To create an Identity Provider navigate to
This will take you to the
Add Google panel, and you’ll fill out the
Client Id and
Client secret required fields using the values found in the Google Cloud console. The button text is also required but it will be defaulted to
Login with Google, you may optionally modify this default value.
To enable this identity provider for an application, find your application name in the
Applications configuration section at the bottom of this panel. You will always see the
FusionAuth application, this application represents the FusionAuth administrative user interface. If you wish to be able to log into FusionAuth with this provider, you may enable this application.
In the following screenshot you will see that we have enabled this login provider for the
Pied Piper application and enabled
Create registration. Enabling create registration means that a user does not need to be manually registered for the application prior to using this login provider.
For example, when a new user attempts to log into
Pied Piper using Google, if their user does not exist in FusionAuth it will be created dynamically, and if the
Create registration toggle has been enabled, the user will also be registered for
Pied Piper and assigned any default roles assigned by the application.
If you do not wish to automatically provision a user for this application when logging in with Google, leave
Create registration off. You will need to manually register a user for this application before they may
Sign in with Google.
That’s it, now the
Sign in with Google button will show up on the login page for the Pied Piper application.
- Client Id Required
The Google Client Id found in your Google credentials settings in the
- Client secret Required
The Google Client Secret found in your Google credentials settings in the
- Button text Required
The text to be displayed in the button on the login form. This value is defaulted to
Login with Googlebut it may be modified to your preference.
- Login Method Optional
User interaction behavior after clicking on the IdP button (
Login with Google, for instance).
Use redirect for login- if selected, the user is redirected to a Google login page. Once authenticated, the user is redirected back to FusionAuth. If selected, the redirect URL must be set to an absolute URL in the Google console for your application. If your hostname is login.piedpiper.com, the redirect URL would be
Use popup for login- if selected, a popup is displayed to the user to login with google. Once authenticated, the window is closed. If selected, the
Please note if an
idp_hintis appended to the OAuth Authorize endpoint, then the interaction behavior will be
redirect, even if popup interaction is explicitly configured.
- Scope Optional
This optional field defines the scope you’re requesting from the user during login. See the Google login documentation for further information. Three common scopes to include are
- Linking strategy Optional defaults to
Link on email. Create the user if they do not exist
The linking strategy for the Google FusionAuth Identity Provider. See Linking Strategies for more.
- Reconcile lambda Optional Available since 1.17.0
A lambda may be utilized to map custom claims returned from Google.
To configure a lambda, navigate to.
- Debug enabled Optional defaults to
Enable debug to create an event log to assist you in debugging integration errors.
Building Your Own Integration
If you are building your own login experience, you’ll want to start the identity provider flow yourself and then complete the login.
You might do this if you are using the Login API rather than using the hosted FusionAuth login pages.
Completing the login is documented further in the API.
If you require a refresh token after completing the login, ensure Enable JWT Refresh is
true in the application configuration. This is found in the administrative user interface by navigating to .
Google sometimes requires custom URL parameters when starting a login to access certain functionality. Examples include:
access_type=offlineif you want a refresh token from Google.
prompt=select_accountif you want to force an account selection screen.
There are more options covered here.
When you need such custom parameters, the Google Identity Provider won’t work. Instead, do the following:
Create an OpenId Connect Identity Provider.
Set Discover endpoints to be
Enter the endpoints manually from the Discovery document.
Append whatever additional parameters are needed to the Authorization endpoint value. For example, you might end up with something like
How helpful was this page?
See a problem?
Have a question or comment to share?
Visit the FusionAuth community forum.