Sign in with Google helps you to quickly manage user authentication on yourwebsite. Users sign into a Google Account, provide their consent, and securelyshare their profile information with your platform.
Customizable buttons and multiple flows are supported for user sign-up andsign-in.
Sign-up refers to the steps to obtain a Google Account holder's consent to sharetheir profile information with your platform. Typically, a new account iscreated on your site using this shared data, but this is not a requirement.
Sign-in refers to logging users into your website using their active GoogleAccount with a personalized sign-in button or One Tap andAutomatic sign-in for users already logged in to their Google Account.
See the Case Studies for some success storiesof Sign In With Google integrations.
You can also use the Google Identity Services authorization API, which letsyou obtain an access token for use with Google APIs, or to access user data.
Sign in with Google demo
Click the button to sign-in to your Google Account.
User privacy
Data from Sign in with Google is not used for ads or other non-securitypurposes.
Use cases
Some of the reasons to add Sign in with Google to your site are:
- Add a visibly trusted and secure Sign in with Google button to an accountcreation or settings page.
- Pre-populate new accounts with consensually shared data from a GoogleAccount profile.
- Users can sign in once to a Google Account without re-entering usernames orpasswords on other sites.
- On return visits, users can sign in automatically or with one click acrossan entire site.
- Use verified Google Accounts to protect comments, voting or forms fromabuse, while allowing anonymity.
Supported features
These features are supported by Sign in with Google:
- Sign up, to optionally create a new account auto-filled from a GoogleAccount profile.
- Sign in, using an account chooser to select from multiple accounts.
- Sign in with one tap, if you've already signed in to your Google Account.
- Sign in automatically, on return visits using your computer, phone or evenmultiple browser tabs.
- Sign out, to disable automatic sign-in across all your devices.
Note how account states may affect Sign in with Google:
- Suspending your Google Account stops sign in to all sites using Sign in withGoogle.
- Deleting your Google or partner account affects one, but not the other.
Compare to OAuth and OpenId Connect
OAuth and OpenId Connect are open standards that offer a wide range ofconfigurable options to fine-tune the behavior of authentication andauthorization flows. Refer to Google'sOAuth documentation for more details.
Sign in with Google offers a single SDK to encompass several related offeringsincluding a personalized button, One Tap, Automatic sign-in, and authorization.It aims to offer an easier and more secure experience for developers than thestandard OAuth and OpenID Connect protocols, while providing a more seamlessuser experience.
- Sign in with Google is based on OAuth 2.0. The permissions that usersgranted through Sign in with Google are the same as those that they grantfor OAuth, and the other way around.
- OAuth 2.0 is also the industry-standard protocol for authorization. Itprovides for a set of endpoints with which relying parties integrate usingHTTP.
- Google Identity Services (GIS) APIs are available in several languagesincluding JavaScript and HTML, that provide for both authentication andauthorization.
- GIS separates the authentication moment from the authorization moment. Inthe authentication moment, a quick integration can be achieved by justintegrating some UI elements into your website, such as the personalizedbutton, One Tap, and automatic sign-in. These UI elements provide aconsistent authentication UX across all third party websites. In theauthorization moment, GIS triggers OAuth flows to return tokens for dataaccess on behalf of the user.
- GIS authentication makes integration with relying parties easier, andreduces most of the OAuth and security knowledge burden on developers. Youdon't need to choose from various approaches to obtain access tokens orauthorization code, or risk the consequences of choosing the wrong approach.While the OAuth 2.0 protocol exposes many details such as the request andresponse parameters of the HTTP endpoints, GIS handles these implementationdetails for you. Also, GIS includes some security implementations forCross-Site Request Forgery (CSRF) protection by default.
- With the HTML API and Code Generator, the GIS authenticationlowers the bar for relying parties integration even further. You don't needa JavaScript developer to generate the code. This reduces the level of OAuthexperience required as well as time to implement.
- The GIS authorization UX is fully based on OAuth UX. However, the GISJavaScript library adds some restrictions for easier and safer relying partyintegration.
- GIS also provides some features beyond the OAuth protocol. For example, itintegrates Password Credential Manager API andFederated Credential Manager API.
With Google Identity Services, developers can use a dedicated and integratedservice to help their users to sign in to the developer's website and apps withwhatever login credentials the user chooses. The mission of GIS is to supportand streamline the UX for multiple types of credentials, to lower the technicalbar for the relying party integration.
Federated Credential Manager (FedCM)
As part of the Privacy Sandbox initiative, Chrome isphasing out support for third-party cookies. GIS integrates theFedCM API, which is a new privacy-preserving alternative to third-partycookies for federated identity providers. GIS begins a migration of all websitesto FedCM on the Chrome browser in April 2024.
Separated authentication and authorization moments
To obtain an access token for use with Google APIs, or to access user data, youneed to call the Google Identity Services authorizationAPI. It's a separate JavaScript API, butpackaged together with the authentication API.
If your website needs to call both authentication and authorization APIs, youneed to call them separately at different moments. At the authentication moment,your website can integrate with One Tap, automatic sign-in and the Sign Inwith Google button to allow users to sign in or sign up to your website. At alater time, when accessing data from Google is required, you call theauthorization API to ask for the consent and get access tokens for data access.This separation complies with our recommended incrementalauthorization bestpractice, in which the permissions are requested in context.
To enforce this separation, the authentication API can only return ID tokenswhich are used to sign in to your website, whereas the authorization API canonly return code or access tokens which are used only for data access but notsign-in.
Thanks to this separation, users have consistent authentication experiencesacross different websites, which may increase user trust and usage, andresult in better user conversion rates on your website. Also, due to thisseparation, Google Identity Services reduces the level of OAuth experiencerequired and time to implement for authentication developers.
