Skip to main content

Google

note

To add Google as a social sign-in provider, you need a Google Developer account. Go to Google Cloud Console to create one.

Follow these steps to add Google as a social sign-in provider to your project using the Ory Console:

  1. Sign in to Ory Console and select Social Sign-in.

  2. Click the switch next to the Google logo to start the configuration.

  3. Copy the Redirect URI and save it for later use.

  4. Go to Google Cloud Console → APIs & Services to set up OAuth 2.

  5. Using the project dropdown menu, select an existing project or create a new one.

  6. Go to Credentials and create a new OAuth client ID.

    info

    You must have a consent screen configured to proceed.

  7. Configure the Google OAuth client. In the Authorized redirect URIs section, add the redirect URI copied from the Ory Console.

  8. Save the configuration and copy the Client ID and Client secret.

  9. Paste the Client ID and Client secret of the created OAuth client into the corresponding fields in the Ory Console.

  10. Click Save Configuration to enable Google as a social sign-in provider.

note

These steps cover the basic configuration of a social sign-in provider integration. At this point, the user experience is incomplete. To complete the configuration and ensure a smooth and secure user experience, configure the scopes and data mapping as described in the next section.

Additional configuration

When adding a social sign-in provider, you can customize the integration by defining the OAuth scopes Ory requests from the provider and by setting up custom data mappings.

Scopes

The Scopes section allows you to define the OAuth scopes Ory requests from the sign-in provider. Defining scopes allows you to interact with the provider's APIs on behalf of the user, or to access additional user data, which is exposed as claims for data mapping.

For Google, add the email and profile scopes for a basic setup.

To learn more about the scopes available for Google, read the related documentation.

Data mapping

The Data mapping section allows you to map the data returned by the sign-in provider to traits as defined in the identity schema.

To define the mapping, create a Jsonnet code snippet. Read this document to learn more about Jsonnet data mapping.

local claims = {
email_verified: false,
} + std.extVar('claims');

{
identity: {
traits: {
[if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,
first_name: claims.given_name,
last_name: claims.family_name,
[if 'hd' in claims && claims.email_verified then 'hd' else null]: claims.hd,
},
},
}

The sample Jsonnet snippet creates the following mapping:

Google claimOry Identity schema mapping
emailemail
given_namefirst_name
family_namelast_name
note

If you want to use this data mapping, you must include the first_name and last_name fields in your Identity Schema

danger

Don't save secrets such as API keys, credentials, or personal data directly in Jsonnet code snippets. Jsonnet code snippets used for data mapping aren't stored in an encrypted format in Ory Network.

tip

For Google, you can use the hd claim which is the hosted Google Workplace domain of the user. This claim is used only when the user has a Google Workspace account.

To learn more about the ID payload returned by Google, read the related documentation.

Additional Parameters

The following parameters are available for the Google provider:

  • login_hint
  • hd

The login_hint parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. The hd parameter limits the login/registration process to a Google Organization, for example mycollege.edu.

The parameters can be passed along to Ory on login, registration and settings flows on form submit.

See the Advanced Integration document for more information on passing parameters from your UI to Ory.

Using the Google SDK on native apps

Google provides a more integrated UX for native apps using the Google SDK. This flow uses the native Google SDK and does not require a browser. This results in a signed id_token on the client side (typically your app) which is exchanged at Ory for a session token.

The following steps are required to integrate the Google SDK with Ory:

  1. Configure a Google social sign-in provider in Ory using the same client_id as used in your native app.
  2. Optional: Android apps generate different token audiences per distribution (debug, release, etc.). You can add the ID of your current distribution to the additional_id_token_audiences field. Example: sh.ory.network-example-ios.debug.
  3. If your SDK supports nonce validation, make sure to use a generated value and submit that during the next step.
  4. Obtain an id_token from Google using the Google SDK. Make sure to also submit the nonce if you generated one in the step before.
  5. Submit the id_token and nonce (as the id_token_nonce) as part of the updateRegistrationFlow or updateLoginFlow request to Ory.
  6. Ory will validate the id_token and create an identity and optionally a session (if configured).

The id_token is verified using Google's publicly available signing keys, available under https://www.googleapis.com/oauth2/v3/certs.

Make sure to request the scopes you require in your Jsonnet mapping, otherwise they will be empty after the registration.

danger

While not explicitly required, as not all of Google SDKs support it, we recommend that you use a nonce to prevent replay attacks wherever possible.

info

Ory does not communicate directly with Google during this flow and does not have access to the Access & Refresh Tokens. This means that Ory cannot return these in the admin APIs or SDK.

Flutter code example

The following showcases an example implementation of a Sign in with Google button using the Ory SDK and google_sign_in Flutter package.

sign-in-with-google.dart
import 'package:flutter/material.dart';
import 'package:google_sign_in/google_sign_in.dart';
import 'package:one_of/one_of.dart';
import 'package:ory_client/ory_client.dart';

class SignInWithGoogleButton extends StatelessWidget {
final String flowId;
final OryClient ory;

final GoogleSignIn _googleSignIn = GoogleSignIn(
scopes: [
'email',
// Add additional scopes, if you require that data in your Jsonnet mapping
],
);

SignInWithGoogleButton({super.key, required this.flowId, required this.ory});

void handleGoogleSignIn(GoogleSignInAccount? value) {
value?.authentication.then((value) {
var idToken = value.idToken;
if (idToken == null) {
// If we end up here, but there is no ID token, something went wrong
print("No idToken found");
return;
}

// Create the payload for the updateRegistrationFlow endpoint with the idToken from Google
var body = UpdateRegistrationFlowWithOidcMethod(
(b) => b
..idToken = idToken
..method = 'oidc'
..provider = 'google',
);

// Submit the updateRegistrationFlow endpoint with the payload
ory.getFrontendApi().updateRegistrationFlow(
flow: flowId,
updateRegistrationFlowBody: UpdateRegistrationFlowBody(
(b) => b..oneOf = OneOf.fromValue1(value: body)),
);
});
}


Widget build(BuildContext context) {
return TextButton(
child: const Text("Sign in with Google"),
onPressed: () => {_googleSignIn.signIn().then(handleGoogleSignIn)},
);
}
}

Troubleshooting

When you add a social sign-in provider, you can encounter common problems such as:

  • Redirect URI mismatch
  • Redirect loops during registration
  • Domain verification issues

To troubleshoot those issues, read Social sign-in troubleshooting.

Error: token audience didn't match allowed audiences

Make sure to either add your apps current identifier to the additional_id_token_audiences field or set it as the Client ID of the provider in the Ory Console.