Skip to main content

Google

First off - you will need a Google Developer account. Go to Google Cloud Console to create one.

Follow these steps to add Google as a social sign-in provider for your Ory Cloud project.

  1. Sign in to Ory Cloud Console and select Social Sign-in.
  2. Click the switch next to the Google logo to start the configuration.
  3. Copy the Redirect URI.
  4. Set up OAuth2 in Google Cloud Console. Refer to Google's guide or follow these steps:
    • Select a project from the project dropdown, or create a new one.
    • If the APIs & services page isn't already open, open the console left side menu and select APIs & services.
    • On the left, click Credentials.
    • Click Create Credentials, then select OAuth client ID.
    • Set the application type and name your application.
    • Further down the form, click Add URI and paste the Redirect URI you copied from Ory Console.
    • Click Create.
  5. Copy the Client ID and Client Secret to Ory Console.
  6. Click Save Configuration to enable Google as a social sign-in provider.
note

The Scopes and Data mapping fields are optional - you don't have to configure them to start using the social sign-in provider.

Additional configuration

When adding a social sign-in provider, you can customize the integration by defining the OAuth scopes Ory requests from the provider and by setting up custom data mappings.

Scopes

The Scopes section allows you to define the OAuth scopes Ory requests from the sign-in provider. Defining scopes allows you to interact with the provider's APIs on behalf of the user, or to access additional user data, which is exposed as claims for data mapping.

Leave this field blank to use the default scopes.

To learn more about the scopes available for Google, read the related documentation.

Data Mapping

The Data Mapping section allows you to map the data returned by the sign-in provider to traits as defined in the identity schema. While optional, we highly recommend you add it. The user experience will be worse if left blank, as a user will have to supply their email address through an additional custom step after completing the OAuth flow.

To define the mapping, create a Jsonnet code snippet. Read the OpenID Connect and OAuth2 Credentials documentation for more details.

In this sample Jsonnet snippet, the user's email, given_name and family_name properties as specified with Google, are mapped to the email, first_name and last_name properties of an identity schema.

local claims = {
  email_verified: true
} + std.extVar('claims');

{
  identity: {
    traits: {
      [if "email" in claims && claims.email_verified then "email" else null]: claims.email,
      first_name: claims.given_name,
      last_name: claims.family_name,
      // See note below for information about `hd`
      [if "hd" in claims && claims.email_verified then "hd" else null]: claims.hd,
    },
  },
}

hd is the hosted G Suite domain of the user, provided only if the user belongs to a hosted domain. For a given email account with a custom domain example.com - user1@example.com would produce example.com in the hd claim.

For more information on the ID payload returend by Google, have a look at their documentation.

warning

Don't save secrets such as API keys, credentials, or PII directly in Jsonnet code snippets.
Jsonnet code snippets used for data mapping aren't stored in an encrypted format in Ory Cloud .