Skip to main content
Docs

Add Google as a social connection

You will learn the following:

  • Use Google to authenticate users with OAuth

Before you start

Enabling OAuth with Google allows your users to sign up and sign in to your Clerk application with their Google account.

Warning

Google OAuth 2.0 does not allow apps to use WebViews for authentication. See the dedicated Google blog post for more information. If your app requires users to sign in via in-app browsers, follow the setup instructions in the Google Help guide.

Configure for your development instance

For development instances, Clerk uses preconfigured shared OAuth credentials and redirect URIs—no other configuration is needed.

  1. In the Clerk Dashboard, navigate to the SSO connections page.
  2. Select Add connection and select For all users.
  3. In the Choose provider dropdown, select Google.
  4. Select Add connection.

Configure for your production instance

For production instances, you must provide custom credentials.

To make the setup process easier, it's recommended to keep two browser tabs open: one for the Clerk Dashboard and one for your Google Cloud Console.

Enable Google as a social connection

  1. In the Clerk Dashboard, navigate to the SSO connections page.
  2. Select Add connection and select For all users.
  3. In the Choose provider dropdown, select Google.
  4. Ensure that both Enable for sign-up and sign-in and Use custom credentials are toggled on.
  5. Save the Authorized Redirect URI somewhere secure. Keep this modal and page open.

Create a Google Developer project

  1. Navigate to the Google Cloud Console.
  2. Select a project or create a new one. You'll be redirected to your project's Dashboard page.
  3. In the top-left, select the menu icon () and select APIs & Services. Then, select Credentials.
  4. Next to Credentials, select Create Credentials. Then, select OAuth client ID. You might need to configure your OAuth consent screen. Otherwise, you'll be redirected to the Create OAuth client ID page.
  5. Select the appropriate application type for your project. In most cases, it's Web application.
  6. In the Authorized Redirect URIs setting, paste the Authorized Redirect URI value you saved from the Clerk Dashboard.
  7. Select Create. A modal will open with your Client ID and Client Secret. Save these values somewhere secure.

Set the Client ID and Client Secret in the Clerk Dashboard

  1. Navigate back to the Clerk Dashboard where the modal should still be open. Paste the Client ID and Client Secret values that you saved into the respective fields.
  2. Select Add connection.

Note

If the modal or page is no longer open, navigate to the SSO connections page in the Clerk Dashboard. Select the connection. Under Use custom credentials, paste the values into their respective fields.

Test your connection

The simplest way to test your connection is to visit your Clerk app's Account Portal, which is available for all Clerk apps out-of-the-box.

  1. In the Clerk Dashboard, navigate to the Account Portal page.
  2. Next to the Sign-in URL, select Visit. The URL should resemble:
  • For developmenthttps://your-domain.accounts.dev/sign-in
  • For productionhttps://accounts.your-domain.com/sign-in
  1. Sign in with your connection's credentials.

Warning

Google sign-in does not allow users to sign in via in-app browsers.

Important note about switching to production

Google OAuth apps have a publishing status that determines who can access the app. The publishing status setting can be found in the Google Cloud Platform console on the APIs & Services > OAuth consent screen page. You can only view the publishing status if the User type is set to External.

By default, Google OAuth apps are set to the "Testing" publishing status, which is intended for internal testing before opening connections to your intended audience. It's limited to 100 test users and depending on the requested OAuth scopes, they might need to be explicitly added to your trusted user list to be able to connect.

To switch a Google OAuth app to production, you must set the publishing status to "In production". This involves a verification process with regard to your app name, logo, and scopes requested before Google accepts the switch to production.

Ensure that your Clerk production app always uses a corresponding Google OAuth app that is set to the "In production" publishing status, so your end users don't encounter any issues using Google as a social connection.

Block email subaddresses

By default, your app will block any Google account with an email address that contains the characters +, = or # from being able to sign up, sign in, or be added to existing accounts.

For a Google organization with the domain example.com, blocking email subaddresses prevents someone with access to user@example.com from signing up with user+alias@example.com. This is a known Google OAuth vulnerability that could allow unauthorized, as Google organization administrators cannot suspend or delete the email alias account. It's recommended to keep this setting enabled for enhanced security.

To configure this setting:

  1. In the Clerk Dashboard, navigate to the SSO connections page.
  2. Select the Google connection.
  3. Enable or disable Block email subaddresses.

Note

Existing Google accounts with email subaddresses will be blocked by this restriction and won't be able to sign in.

Google One Tap

Google One Tap enables users to sign up or sign in to your Clerk app with the press of a button. After adding Google to your Clerk app as a social connection, you can use the prebuilt <GoogleOneTap /> component to render the One Tap UI in your app. See the <GoogleOneTap /> component reference to learn more.

Feedback

What did you think of this content?
Edit this page on GitHub

Last updated on