Configure a Google identity provider

The Google identity provider is an OpenID Connect provider with simplified settings, which offers the same features, such as single sign-on and mappers.

Configuration

To configure Google authentication, follow the steps to configure an identity provider, using the properties listed in the table below for reference.

General

Property Definition

Property	Definition
Redirect URI	URI indicating where the identity provider should redirect after authentication.
Client ID	Identifier for the client registered with the identity provider.
Client secret	Secret key registered with the identity provider.
Display order	Number defining the providers' order of appearance on the login page. Lowest number is listed first.
Hosted domain	When logging in with Google, set the `hd` query parameter. Google will only display accounts from this domain. The platform validates that the returned identity token has a claim for this domain. Entering `*` allows any hosted account. Supports a comma-separated list of domains.
Use userIp param	If enabled, sets the `userIp` query parameter for invoking Google’s user info service. Uses the user’s IP address. Useful if Google is throttling access to the user info service.
Request refresh token	If enabled, sets the `access_type` query parameter to `offline` when redirecting to Google’s authorization endpoint to receive a refresh token. Useful if planning to use Token Exchange to retrieve a Google token for accessing Google APIs without user browser interaction.

Redirect URI

URI indicating where the identity provider should redirect after authentication.

Client ID

Identifier for the client registered with the identity provider.

Client secret

Secret key registered with the identity provider.

Display order

Number defining the providers' order of appearance on the login page. Lowest number is listed first.

Hosted domain

When logging in with Google, set the hd query parameter. Google will only display accounts from this domain. The platform validates that the returned identity token has a claim for this domain. Entering * allows any hosted account. Supports a comma-separated list of domains.

Use userIp param

If enabled, sets the userIp query parameter for invoking Google’s user info service. Uses the user’s IP address. Useful if Google is throttling access to the user info service.

Request refresh token

If enabled, sets the access_type query parameter to offline when redirecting to Google’s authorization endpoint to receive a refresh token. Useful if planning to use Token Exchange to retrieve a Google token for accessing Google APIs without user browser interaction.

Advanced

Property Definition

Property	Definition
Scopes	Scopes requested for authorization. Supports a space-separated list of scopes. Defaults to `openid`.
Sync mode	Strategy for updating user information from the identity provider through mappers. Possible values are: Force: updates user data when possible. Import: imports user data without updating them.
Verify essential claim	If enabled, ID tokens issued by the identity provider must have a specific claim for the user to authenticate through this broker.
Essential claim	Only available if Verify essential claim* is enabled.* Name of the JWT token claim to filter (case sensitive).
Essential claim value	Only available if Verify essential claim* is enabled.* Value of the JWT token claim to match. Supports regular expressions.
Store tokens	If enabled, the platform stores tokens from the identity provider.
Accepts prompt=none forward from client	If enabled, when a client sends a `prompt=none` request while not authenticated, the error is not directly returned to the client. Instead, the request is forwarded to the identity provider.
Disable user info	If enabled, the user info service for obtaining additional user information is disabled. By default, the platform uses the OpenID Connect service.
Trust email	If enabled, emails provided by this provider are not verified by the platform.

Scopes

Scopes requested for authorization. Supports a space-separated list of scopes. Defaults to openid.

Sync mode

Strategy for updating user information from the identity provider through mappers. Possible values are:

Force: updates user data when possible.
Import: imports user data without updating them.

Verify essential claim

If enabled, ID tokens issued by the identity provider must have a specific claim for the user to authenticate through this broker.

Essential claim

Only available if Verify essential claim is enabled.
Name of the JWT token claim to filter (case sensitive).

Essential claim value

Only available if Verify essential claim is enabled.
Value of the JWT token claim to match. Supports regular expressions.

Store tokens

If enabled, the platform stores tokens from the identity provider.

Accepts prompt=none forward from client

If enabled, when a client sends a prompt=none request while not authenticated, the error is not directly returned to the client. Instead, the request is forwarded to the identity provider.

Disable user info

If enabled, the user info service for obtaining additional user information is disabled. By default, the platform uses the OpenID Connect service.

Trust email

If enabled, emails provided by this provider are not verified by the platform.

Mappers

Mappers are generic for all identity provider types.

For more information, see Configure mappers.