Google user authentication options for sign-up and sign-in

User sign-in with OAuth/OIDC API endpoints

Developer docs
Features

• Credential requests possible on any event; page load, user activation, etc
• Credentials returned by redirect using GET and URL parameters
• Response_type may be any combination of id_token, access_token, or auth code
• User session management is not supported

Configure response_type:

ID token access token authorization code

Sign in using a button

Sign in using a URL

You will be redirected to OIDC debugger for decoding of the ID token reponse.

User sign-in with the Google Identity Services (GIS) JavaScript library

Developer docs
Features

• Credential requests possible only by user activation
• Credentials returned by: JavaScript callback or redirect with variables in the body of a POST call
• Response_type is always id_token only, access_token and auth code are never returned
• User session management is not supported

Personalized button using popup with JS callback

Revoke

Callback response

User sign-in with the Google Sign-in JavaScript library (Deprecated)

Developer docs
Features

• Credential requests possible on any event; page load, user activation, etc
• Credentials can be returned to the web app running in the browser using a JavaScript callback
• Response_type may be any combination of id_token, access_token, or auth code
• User session management supported by a Google third-party cookie

Sign in button showing session state

Callback response

User sign-in with Google as an IdP using the browser's FedCM APIs

Developer docs
Features

• Credential requests require a user to begin the sign-in flow
• Requires a browser that supports the Federated Credential Management API
• User credentials are returned through an async browser API call
• Response_type is currently an id_token

In this example, Google is configured as the Identity Provider (IdP).
The navigator.credentials.get and IdentityCredential.disconnect browser APIs trigger sign-in and revoke the session between the RP and IdP
without a third-party JavaScript library.



Revoke

Credential response

Understanding consent

User consent is mandatory to share credentials (OIDC and OAuth tokens). Prompts are displayed to the user:

• when they first visit your site, and
• for return visits you may set options to control whether to always or never display a prompt.

Working with sessions

Session state affects account chooser and sign-in behavior, user flows differ when no sessions exist or existing session(s) are found.
To start from a known state with no user sessions:

• Close ALL existing Chrome Incognito windows, terminating any active Google sessions.
• Open a new Chrome Incognito window (Ctrl-Shift-N).

To establish a Google user session:

• Open news.google.com
• Click on 'Sign in' in the upper right hand banner to sign in to a Google Account, establishing a new session.

Selecting user accounts in advance

Hint and hosted domain options allow user accounts to be filtered, resulting in none, one, or simply fewer accounts being displayed to the user. This may decrease duplicate accounts on your platform in cases where users own multiple Google or Workspace accounts.

Using login_hint to suggest a Google account may skip the account chooser

email address (may be the email address configured for: 1) a Google Account or 2) a Workspace Account)
Google Account ID (the value from the sub field of an ID token)
ID token hint (raw, undecoded ID token)

Providing a hosted domain value filters the account chooser, displaying only matching accounts. For example, "*" limits sign-in to the Workspace primary domain, while "ink-42.com" does so for the named Workspace domain

"*" or domain hosted by a Workspace organization (primary or secondary)

Apply settings and Reload

No user prompts are required when:

• Only one active Google account session exists
• login_hint is used when two or more active Google account sessions exist
• User has previously granted consent

Optional additional gestures:

1. Sign-in to a Google account is required when:
• no active Google account session exists
• Google requires reauthentication for security reasons or other factors
2. Account chooser gesture is required when:
• login_hint is not used when two or more active Google account sessions exist
• login_hint is used but a corresponding Google account does not exist
3. Consent is required:
• once for each Google account and application (client id) tuple,
• when site settings optionally call for it,
• when requested scopes do not fully match previously approved scopes