Configure Google provider for sign in with Google

In this article we will walk you through creating a Google Cloud project and configuring Google OAuth and integrating with Next Identity providers so users can sign in to your website via Next Identity using their Google credentials.

• A Google account (personal or workspace)

• Access to your website's domain and hosting

• Basic understanding of OAuth 2.0 redirect flows

• Access to Next Identity Console with permission to set up providers

1. Go to the Google Cloud Console

2. Sign in with your Google account

3. Accept the Terms of Service if prompted

1. Click the Select project dropdown at the top of the page (next to "Google Cloud")

2. Click New Project in the dialog that appears

3. Fill in the project details:

• Project Name: Choose a descriptive name (e.g., "My Website Authentication")

• Organization: Select if applicable (optional)

• Location: Select if applicable (optional)

4. Click Create

5. Wait for the project to be created (this may take a few moments)

6. Select your new project from the project dropdown

While not strictly required for basic authentication, enabling this API allows you to retrieve additional user profile information.

1. In the left sidebar, navigate to APIs & Services > Library

2. Search for Google+ API

3. Click on Google+ API in the results

4. Click Enable

Before creating credentials, you must configure the OAuth consent screen that users will see when signing in.

1. Navigate to APIs & Services > OAuth consent screen

(if you haven't already, it may ask you to fill in the following project configuration before proceeding):

Fill in App Information

• App name: The name users will see (e.g., "My Website")

• User support email: Select your email from the dropdown

Click next and fill in Audience

• Internal: Only for Google Workspace users within your organization

• External: For any Google account user (choose this for public websites)

Click next and fill in Contact information

• Email Addresses: These will be used to contact you about changes to your application.

Click finish

2. Once the screen refreshes you will see a project overview page that will show you some configuration options, choose branding and fill out the following:

App Information (this will be filled in based on the project info you entered before)

• App name: The name users will see (e.g., "My Website")

• User support email: Select your email from the dropdown

App Logo:

• App logo: This is displayed on the OAuth consent screen
  

App Domain:

• Application home page: Your website URL (e.g., https://yourdomain.com)

• Application privacy policy link: URL to your privacy policy (required)

• Application terms of service link: URL to your terms (optional, recommended)

Authorized Domains:

• Add your website's domain (e.g., yourdomain.com)

• Do not include http://, https://, or paths

• Click Add Domain

Developer Contact Information (this will already be filled in based on your project info from earlier):

• Enter or confirm your email address

4. Click Save

1. Click Configure Data Access in menu bar on the left.

2. click Add or Remove Scopes

3. Select the following scopes (these are typically sufficient for authentication):

• ./auth/userinfo.email - See your primary Google Account email address

• ./auth/userinfo.profile - See your personal info, including any personal info you've made publicly available

• openid - Associate you with your personal info on Google

3. Click Update

4. Click Save

If your app is in Testing mode, only test users can access it:

1. Click Audience from left menu bar.

2. Scroll down and Click Add Users

2. Enter email addresses of users who should be able to test (including your own)

3. Click Save

1. Navigate to APIs & Services > Credentials

2. Click Create Credentials at the top

3. Select OAuth client ID

4. Configure the OAuth client:

• Application type: Select Web application

• Name: Give it a descriptive name (e.g., "Web Client for My Website")

These are the domains where the OAuth request can originate:

• Click Add URI

• Add your website URLs (e.g., https://yourdomain.com)

• For testing, you can also add http://localhost:3000 or your local development URL

• Important: Do not include trailing slashes

These are the callback URLs where Google will send the authentication response:

• Click Add URI

• Add the Next Identity callback URL provided in your Next Identity Console (step 7)

• It will look similar to: https://xxxxxx-dev.id.eu.nextreason.com/social/callback

• For testing, you can also add your local development callback URL

• Important: URLs must match exactly, including protocol and path

5. Click Create

6. A dialog will appear with your credentials - please download the credentials or save them securely as you will not be able to access them once the dialog box is closed:

• Client ID: Your application's unique identifier

• Client Secret: Your application's secret key

7. Click OK

Your app starts in Testing mode, which limits access to users you've explicitly added.

• Only accessible by test users you've added

• Use this for initial integration testing

• No user limit, but requires manual user addition

When ready for public use:

1. Navigate to APIs & Services > OAuth consent screen

2. Click Publish App

3. Review the confirmation dialog

4. Click Confirm

Note: If you're requesting sensitive or restricted scopes, you may need to go through Google's verification process. For basic email and profile scopes, verification is typically not required.

Now that your Google credentials are configured, you'll connect it to Next Identity so your users can sign in with Google.

From your Google Cloud Console (APIs & Services > Credentials), you'll need:

• Client ID: Your OAuth client's unique identifier

• Client Secret: Your OAuth client's secret key

1. Log in to Next Identity as an administrator

2. Navigate to your application's social login settings by going to the side navigation bar and choosing Integrations, then scroll down to the Social Providers section

3. Select Add Social Authentication Provider

4. Select Google as a social identity provider

5. Enter a Name and Description for this social connection (for your reference only, this does not have to match any Google app names or Identifiers)

6. Enter your Google credentials:

• Client ID: Paste from Google Cloud Console

• Client Secret: Paste from Google Cloud Console

5. Click Save to save and close the configuration modal

6. Once you are back at the landing screen, in order to use this Google integration for you environments choose the three dots next to that Google integration, and choose Set as Default and then select the environments it should be the default Google integration for, then select Apply.

7. On that configuration modal to set the Google configuration as your default for your environments, you will also see the recommended callback url to configure within the Google configuration. You may need to log back into Google developer dashboard and add that.

1. Log in to Next Identity as an administrator

2. Navigate to your desired journey by going to the side navigation bar and choosing Journeys.

3. From the Journeys landing page, select the specific journey you want to add social authentication for, and select the three dots to display the menu, and select Edit to take you to the Journeys builder.

3. On the journeys builder screen, select edit icon for the login card.

4. On the configure login modal that pops up, you should be able to scroll and see social authentication options, if Google has been correctly configured you should see a toggle to turn it on.

5. Toggle Google on

5. Click Save Changes on that modal screen, you will be taken back to the journeys builder screen.

6. Click Save in Development on the Journeys Builder screen.

7. Review the changes in the pop up modal and select Save Journey if everything looks good and you can see that the Apple social sign in has been turned on.

Next Identity handles the OAuth redirect flow for you. When configuring your Oauth client credentials and redirect URLs (Step 5), you must use the callback URL provided by Next Identity, which might look something like:

https://xxxxxx-dev.id.eu.nextreason.com/social/callback

Your Next Identity administrator console will display the exact redirect URI you need to add to the Google configuration

• Use HTTPS for all redirect URIs in production (HTTP only for localhost development)

• Regularly review which users have access in Testing mode

• Keep your authorized domains list minimal and specific

1. Ensure your Google OAuth app is configured with test users (if in Testing mode)

2. In the Next Identity Console, enable Google login for your application

3. Test the complete login flow:

• Navigate to your application's login page

• Click "Sign in with Google"

• Authorize the app (select your Google account)

• Verify you're successfully authenticated and redirected back

4. Verify user profile data is correctly synced to Next Identity

5. Test error scenarios:

• User cancels the authorization

• Test with a user not added to test users (should see error)

• Test with incorrect redirect URI configuration

• The redirect URI in the request doesn't match any authorized redirect URIs

• Check that the URI in Google Cloud Console exactly matches what Next Identity is using

• Ensure there are no trailing slashes or missing paths

• Verify you're using HTTPS (not HTTP) in production

• Your OAuth consent screen configuration may be incomplete

• Verify all required fields are filled in the consent screen

• Check that authorized domains are correctly configured

• User is not added as a test user (if app is in Testing mode)

• Add the user's email in OAuth consent screen > Test users

• Or publish the app to production if ready

• Client ID or Client Secret is incorrect

• Verify you're using the correct credentials from Google Cloud Console

• Check for extra spaces when copy/pasting credentials

• This is normal for apps in Testing mode or those not yet verified

• During testing, users can click "Advanced" then "Go to [App Name] (unsafe)"

• For production, consider going through Google's verification process

• For basic scopes (email, profile), verification is typically not required

• Make sure you've selected the correct project in Google Cloud Console

• Check the project dropdown at the top of the page

The scopes you configure determine what user information your application can access:

• openid - Required for OpenID Connect authentication

• email - Access to user's email address

• profile - Access to basic profile info (name, picture, etc.)

If you need access to Google services beyond basic authentication (Calendar, Drive, etc.), you'll need:

• To request additional scopes in your OAuth consent screen

• Potentially go through Google's verification process

• Provide justification for why you need each scope

For most authentication use cases with Next Identity, the standard scopes are sufficient.

• Test Google sign-in with your application through Next Identity

• Consider adding other social login providers through Next Identity

• Google Identity Platform Documentation

• OAuth 2.0 Overview

• OAuth Consent Screen Configuration

• OAuth Verification Process

• Google Cloud Console