Before you add Sign In With Google, One Tap, or Automatic sign-in to your website setup your OAuth configuration and optionally configure your site Content Security Policy.
Get your Google API client ID
To enable Sign In With Google on your website, you first need to set up your Google API client ID. To do so, complete the following steps:
- Open the Credentials page of the Google APIs console.
- Create or select a Google APIs project. If you already have a project for the Sign In With Google button or Google One Tap, use the existing project and the web client ID. When creating production applications, multiple projects may be necessary, the remaining steps will be repeated for each project you manage.
- Click Create credentials > OAuth client ID and for Application type select Web application to create a new client ID. To use an existing client ID select one of type Web application.
Configure your OAuth Consent Screen
Both Sign In With Google and One Tap authentication include a consent screen which tells users the application requesting access to their data, what kind of data they are asked for and the terms that apply.
- Open the OAuth consent screen page of the Google APIs console.
- If prompted, select the project you just created.
On the "OAuth consent screen" page, fill out the form and click the “Save” button.
Application name: The name of the application asking for consent. The name should accurately reflect your application and be consistent with the application name users see elsewhere. The application name will be shown on the One-tap dialog window.
Application logo: An image on the consent screen that will help users recognize your app. The logo is shown on Sign In With Google consent screen and on account settings, whereas it’s not shown on One Tap dialog.
Support email: Shown on the consent screen for user support and to G Suite administrators evaluating access to your application for their users. This email address will be shown to users on the Sign In With Google consent screen when the user clicks the application name.
Scopes for Google APIs: Scopes allow your application to access your user's private Google data. For the authentication, default scope (email, profile, openid) is sufficient, you don't need to add any sensitive scopes. It is generally a best practice to request scopes incrementally, at the time access is required, rather than up front. Learn more.
Authorized domains: To protect you and your users, Google only allows applications that authenticate using OAuth to use Authorized Domains. Your applications' links must be hosted on Authorized Domains. Learn more.
Application Homepage link: Shown on Sign In With Google consent screen and One-Tap GDPR compliant disclaimer information under the “Continue as” button. Must be hosted on an Authorized Domain.
Application Terms of Service link (Optional): Shown on Sign In With Google consent screen and One-Tap GDPR compliant disclaimer information under the “Continue as” button. Must be hosted on an Authorized Domain.
Figure 1. OAuth Consent Screen fields shown on One Tap UI
Check "Verification Status", if your application needs verification then click the "Submit For Verification" button to submit your application for verification. Refer to OAuth verification requirements for details.
Content Security Policy
While optional, a Content Security Policy is recommended to secure your app and prevent cross-site scripting (XSS) attacks. To learn more, see an Introduction to CSP and CSP and XSS.
Your Content Security Policy might include one or more directives, such as
If your CSP includes the:
https://accounts.google.com/gsi/to allow a page to load the parent URL for Google Identity Services server-side endpoints.
https://accounts.google.com/gsi/to allow the parent URL of the One Tap and Sign In With Google button iframes.
https://accounts.google.com/gsi/styleto allow the URL of the Google Identity Services Stylesheets.
Avoid listing individual GIS URLs when using
connect-src. This helps minimize
failures when GIS is updated. For example, instead of adding
https://accounts.google.com/gsi/status use the GIS parent URL
This example response header allows Google Identity Services to load and execute successfully:
Content-Security-Policy-Report-Only: script-src https://accounts.google.com/gsi/client; frame-src https://accounts.google.com/gsi/; connect-src https://accounts.google.com/gsi/;
Cross Origin Opener Policy
To allow Sign In With Google button and/or Google One Tap to function well with
popup windows, you must not set the HTTP
response header to
same-origin, which will break the communication between
the windows and lead to a blank popup window
or similar bugs.
same-origin-allow-popups value is recommended for the
Cross-Origin-Opener-Policy header on pages where Sign In With Google button
and/or Google One Tap are displayed.