Use Google Sign-In with IT Apps

The following is a checklist of steps to take when using Google Sign-In with work accounts for a custom-developed IT application. If you are developing a mobile app, refer to the best practices for mobile as well.

  1. Include your G Suite domain in your OpenID Connect request so the Google authentication service will only display accounts in that domain. This is done using the hd parameter with the REST endpoint, the hosted_domain parameter with the JavaScript API, the setHostedDomain builder method on Android, and the hostedDomain property on iOS.
  2. When you get an OpenID Connect assertion from Google, double check that the Google authentication service has confirmed it is an account controlled by the administrators of that domain name. This check is done server side by evaluating the hd field in the token to verify the domain is what you expected. See Authenticate with a backend server for details.
  3. Optional, but strongly recommended: add the application to the allowlist so that your users will not see a confirmation screen when they sign in. This step, combined with the previous steps, ensures that users of your IT application can automatically sign in. To add your app to the allowlist:

    1. From your G Suite domain’s Admin console, go to Main menu > Security > API controls.
    2. In the Domain wide delegation pane, select Manage Domain Wide Delegation.
    3. Click Add new.
    4. In the Client ID field, enter the OAuth client ID you registered for the application. A client ID is normally a string of letters and numbers followed by
    5. In the API Scopes field, type the following string: openid,profile,email. If your app needs to request additional scopes to access Google APIs, specify them here as well.
    6. Click Authorize. The authorization will take effect in about 30 minutes.