Docs

Add Google as a social connection

You will learn the following:

  • Use Google to authenticate users with OAuth.

Before you start

Enabling OAuth with Google allows your users to sign up and sign in to your Clerk application with their Google account.

Warning

Google sign-in does not allow users to sign in via in-app browsers.

Configure for your development instance

For development instances, Clerk uses preconfigured shared OAuth credentials and redirect URIs—no other configuration is needed.

  1. In the Clerk Dashboard, navigate to the SSO Connections page.
  2. Select Add connection and select For all users.
  3. In the Choose provider dropdown, select Google.
  4. Select Add connection.

Configure for your production instance

For production instances, you must provide custom credentials, which involves generating your own Client ID and Client Secret using your Google Developer account.

To make the setup process easier, it's recommended to keep two browser tabs open: one for your Clerk Dashboard and one for your Google Cloud Console.

Enable Google as a social connection

  1. In the Clerk Dashboard, navigate to the SSO Connections page.
  2. Select Add connection and select For all users.
  3. In the Choose provider dropdown, select Google.
  4. Ensure that both Enable for sign-up and sign-in and Use custom credentials are toggled on.
  5. Save the Redirect URI somewhere secure. Keep this modal and page open.

Create a Google Developer project

  1. Navigate to the Google Cloud Console.
  2. Select a project or create a new one.
  3. If the APIs & Services page isn't already open, open the menu on the left and select APIs & Services.
  4. In the menu on the left, select Credentials.
  5. Select Create Credentials. Then, select OAuth client ID. You may need to configure your OAuth consent screen.
  6. Select the appropriate application type for your project. Most likely, you will choose Web application.
  7. In the Authorized Redirect URIs setting, paste the Redirect URI value you saved from the Clerk Dashboard.
  8. Select Create. Keep this page open.

Set the Client ID and Client Secret in your Clerk Dashboard

Once the OAuth client is created in the Google Cloud Console, a modal will open with your Client ID and Client Secret. Save these values somewhere secure.

Go back to the Clerk Dashboard, where the modal should still be open, and paste these values into the respective fields. Then, select Add connection.

Note

If the modal or page is not still open, navigate to the SSO Connections page in the Clerk Dashboard. Select the Google connection. Under Use custom credentials, you can paste the Client ID and Client Secret into their respective fields.

Test your OAuth

The simplest way to test your OAuth is to visit your Clerk app's Account Portal, which is available for all Clerk apps out-of-the-box.

  1. In the Clerk Dashboard, navigate to the Account Portal page.
  2. Next to the Sign-in URL, select Visit. The URL should resemble:
    • For developmenthttps://your-domain.accounts.dev/sign-in
    • For productionhttps://accounts.your-domain.com/sign-in
  3. Sign in with your Google account.

Warning

Google sign-in does not allow users to sign in via in-app browsers.

Important note about switching to production

Google OAuth apps have a publishing status that determines who can access the app. The publishing status setting can be found within the Google Cloud Platform console on the APIs & Services > OAuth consent screen page. You can only view the publishing status if the User type is set to External.

By default, Google OAuth apps are set to the "Testing" publishing status, which is intended for internal testing before opening connections to your intended audience. It is limited to 100 test users and depending on the requested OAuth scopes, they may need to be explicitly added to your trusted user list to be able to connect.

To switch a Google OAuth app to production, you must set the publishing status to "In production". This involves a verification process with regard to your app name, logo and scopes requested before Google accepts the switch to production.

Make sure that your Clerk production app always uses a corresponding Google OAuth app that is set to the "In Production" publishing status, so that your end users do not encounter any issues using Google as a social connection.

Block email subaddresses

By default, your app will block any Google account with an email address that contains the characters +, = or # from being able to sign up, sign in, or be added to existing accounts.

For a Google organization with the domain example.com, blocking email subaddresses prevents someone with access to user@example.com from signing up with user+alias@example.com. This is a known Google OAuth vulnerability that could allow unauthorized, as Google organization administrators cannot suspend or delete the email alias account. It's recommended to keep this setting enabled for enhanced security.

To configure this setting:

  1. In the Clerk Dashboard, navigate to the SSO Connections page.
  2. Select the Google connection.
  3. Enable or disable Block email subaddresses.

Note

Existing Google accounts with email subaddresses will be blocked by this restriction and will not be able to sign in.

Google One Tap

Google One Tap enables users to sign up or sign in to your Clerk app with the press of a button. After adding Google to your Clerk app as a social connection, you can use the prebuilt <GoogleOneTap /> component to render the One Tap UI in your app. See the <GoogleOneTap /> component reference to learn more.

Feedback

What did you think of this content?
Edit this page on GitHub

Last updated on