Google OAuth2 Configuration :: Idealogic Documentation

1. Overview

This guide explains how to configure the Registration Portal to authenticate users via Google OAuth2/OIDC. Google uses standard OIDC with discovery, making it straightforward to configure.

2. Prerequisites

Access to the Google Cloud Console
A Google Cloud project
OAuth consent screen configured

3. Google Cloud Setup

3.1. OAuth Consent Screen

Navigate to APIs & Services > OAuth consent screen
Select External user type (for public-facing registration)
Fill in the required fields:
- App name: e.g., "Event Registration"
- User support email
- Developer contact information
Add scopes: openid, profile, email
If needed, add test users during development

3.2. OAuth2 Client Credentials

Navigate to APIs & Services > Credentials
Click + Create Credentials > OAuth client ID
Configure:

Field Value

Field	Value
Application type	Web application
Name	e.g., "Registration Portal"
Authorized redirect URIs	`https://<tenant-domain>/login/oauth2/code/google`

Application type

Web application

Name

e.g., "Registration Portal"

Authorized redirect URIs

https://<tenant-domain>/login/oauth2/code/google

Each tenant domain requires its own redirect URI entry. For example:

Note the Client ID and Client Secret

Google has a limit on the number of redirect URIs per OAuth client. For large numbers of tenants, consider using a single shared domain with tenant resolution via subdomains, or create multiple OAuth clients.

4. Registration Portal Configuration

Create a TenantIdentityProvider record with the following values:

Field Value

Field	Value
`provider_type`	`GOOGLE`
`display_name`	"Sign in with Google"
`client_id`	OAuth2 Client ID from Google Cloud Console
`client_secret`	OAuth2 Client Secret (encrypted at rest)
`issuer_uri`	`https://accounts.google.com`
`scopes`	`openid,profile,email`
`user_name_attribute`	`sub`
`enabled`	`true`

provider_type

GOOGLE

display_name

"Sign in with Google"

client_id

OAuth2 Client ID from Google Cloud Console

client_secret

OAuth2 Client Secret (encrypted at rest)

issuer_uri

https://accounts.google.com

scopes

openid,profile,email

user_name_attribute

sub

enabled

true

Google supports OIDC Discovery at https://accounts.google.com/.well-known/openid-configuration, so only the issuer_uri is needed — all endpoint URIs are auto-discovered.

5. Platform-Wide Client ID

Google OAuth2 typically uses a single platform-wide client ID shared across all tenants. Each tenant that enables Google will have the same client_id and client_secret in their TenantIdentityProvider record.

This means:

One Google Cloud OAuth2 client serves all tenants
All tenant domains must be registered as redirect URIs in that single client
The sub claim from Google is globally unique and stable

6. Google-Specific Behaviour

Characteristic Detail

Characteristic	Detail
OIDC Compliance	Full OIDC with Discovery
Token Type	JWT ID token + opaque access token
Subject Identifier	Numeric string, globally unique, stable
Email Verified	`email_verified` claim indicates if Google has verified the email
Profile Picture	`picture` claim provides avatar URL
PKCE	Supported and recommended

OIDC Compliance

Full OIDC with Discovery

Token Type

JWT ID token + opaque access token

Subject Identifier

Numeric string, globally unique, stable

Email Verified

email_verified claim indicates if Google has verified the email

Profile Picture

picture claim provides avatar URL

PKCE

Supported and recommended

Google OAuth2 Configuration