Google Sign-in and Authorization

Google is a popular social connection that allows users to log in to your application using their Google profile. To complete the Call other's APIs on user's behalf quickstart, you need to set up a Google social connection.

To set up a Google social connection, you must:

• Create Google OAuth credentials with the Google Auth Platform.
• Configure and test a Google social connection with the Auth0 Dashboard.

Prerequisites

1. Sign up for a Google Developer account.
2. Create a Google project.

Google Auth Platform

The Google Auth Platform helps you manage your applications and OAuth credentials for logging in and calling Google APIs. To learn more, read Get started with the Google Auth Platform.

Use the Google Auth Platform to:

• Configure Google consent screen
• Create Google OAuth Client

Configure Google consent screen

Note: If your application requests sensitive OAuth scopes or uses a custom image, Google limits it to 100 logins until the OAuth consent screen is verified. Consent screen verification may take up to several days.

When you use OAuth 2.0 for authorization, your application requests authorization for one or more scopes of access from a Google Account. Google displays a consent screen to the user, including a summary of your project, its policies, and the requested access scopes.

Before creating an OAuth client ID, you must first configure the OAuth consent screen with information about your application.

In the Google Cloud Console, configure your Google OAuth consent screen:

1. Navigate to Google Auth Platform > Branding:

• For Authorized domains, enter auth0.com. If you’re using a custom domain, enter your custom domain instead.

2. Navigate to Google Auth Platform > Audience:

• For User type, select Make External. In Test Users, you can add the email addresses you want to use for testing.

3. Navigate to Google Auth Platform > Data Access to add or remove scopes. To learn more, read OAuth 2.0 Scopes for Google APIs.

4. Follow the rest of the instructions to finish configuring your Google OAuth consent screen.

5. Select Save Changes.

Create Google OAuth Client

To create a Google OAuth 2.0 Client, you need your Auth0 domain, which you can find in the Auth0 Dashboard.

1. If you haven’t configured a custom domain, your Auth0 domain name is {YOUR_TENANT_NAME}.{YOUR_REGIONAL_SUBDOMAIN}.auth0.com. It will be bolded in the introduction. Your redirect URI is https://{YOUR_TENANT_NAME}.{YOUR_REGIONAL_SUBDOMAIN}.auth0.com/login/callback.
2. If you have configured a custom domain via Settings > Custom Domains in your Auth0 Dashboard, use your custom domain instead. Your redirect URI is https://{YOUR_CUSTOM_DOMAIN}/login/callback.

Note: If you created your US tenant before June 2020, then your Auth0 domain name does not include the regional subdomain: {YOUR_TENANT_NAME}.auth0.com.

In the Google Cloud Console, create a new OAuth 2.0 Client:

1. Navigate to Google Auth Platform > Clients. Then, select New Client.
2. For the Application type, select Web application.
3. Enter the following information for your OAuth 2.0 Client:

• Name: The name of your OAuth 2.0 Client.
• Authorized Javascript origins: https://{YOUR_DOMAIN}
• Authorized redirect URIs: https://{YOUR_DOMAIN}/login/callback

4. Select Create.

Auth0 Dashboard

Use the Auth0 Dashboard to create and configure a Google social connection with the proper OAuth credentials. If you are following the Call Other's APIs on User's Behalf quickstart, you can skip the below steps and proceed to get the connection automatically set up using the Configure Google Social Connection step of the quickstart.

Create Google social connection

Use the Auth0 Dashboard to create a new Google social connection.

1. Navigate to Authentication > Social.
2. Select Create Connection and then Google/Gmail.
3. In General, enter the client credentials from the Google OAuth 2.0 Client you created:

• Client ID: The unique identifier for your application.
• Client Secret: The secret used by the application to authenticate with Auth0. To learn more, read Client secret authentication.

4. In Permissions, select all the required scopes. When you get an access token for the Google social connection, it will contain the appropriate scopes so you can use it to call the required Google APIs.
5. Click Save Changes.

Configure federated connection

You need to configure your Google social connection so it can retrieve and store access tokens for third-party APIs. Auth0's Token Vault organizes the access and refresh tokens of federated connections in secure tokensets. Applications can then access the Token Vault to retrieve access tokens to call third-party APIs.

To learn more, read Configure Token Vault.

Test connection

Once you have created your Google social connection, test your connection.

Next steps

• Learn how to get an access token to make a tool call by completing the Call other's APIs on user's behalf quickstart
• Learn more about using Google for social login.