Google Authentication

On this page

Overview

Set Up a Project in the Google API Console
Create a Project in the Google API Console
Generate OAuth Client Credentials
Configure the Google Authentication Provider
Configure in App Services
Examples

Atlas Device Sync, Atlas Edge Server, Data API, and HTTPS Endpoints are deprecated. Refer to the deprecation page for details.

Overview

The Google authentication provider allows users to log in with their existing Google account through Google Sign-In. When a user logs in, Google provides Atlas App Services with an OAuth 2.0 access token for the user. App Services uses the token to identify the user and access approved data from Google APIs on their behalf.

The following diagram shows the OAuth logic flow:

Set Up a Project in the Google API Console

You must set up a project in the Google API Console before you configure Google Authentication in App Services. Follow the SDK-specific steps to set up Google Authentication in the Google API Console.

The Google authentication provider requires a project in the Google API Console to manage authentication and user permissions. The following steps walk through creating the project, generating OAuth credentials, and configuring the provider to connect with the project.

Create a Project in the Google API Console

Follow Google's official guide to create a new GCP project.

Generate OAuth Client Credentials

Note

For iOS client applications, you need to create both a Web OAuth Client ID and an iOS OAuth Client ID. The former is used by App Services, while the latter will be used by the app itself.

Refer to the Web tab of this section for instructions on creating the web application Client ID for App Services.

Follow Google's support guide on Setting up OAuth 2.0 for your project.

Use the following values when configuring your iOS application Client ID:

Application Type	iOS
Name	The name you wish to associate with this Client ID.
Bundle ID	The Bundle ID for your iOS application. You can find this value in XCode on the General tab for the app's primary target.

Use the following values when configuring your Android application Client ID:

Application Type	Android
Name	The name you wish to associate with this Client ID.
Signing-certificate Fingerprint	The SHA-1 fingerprint of your application signing certificate. See Authenticating Your Client for instructions on generating this value.

You will need to create a web application Client ID and provide several App Services-related values.

For Authorized JavaScript Origins, enter the following URL:

https://services.cloud.mongodb.com

For Authorized Redirect URIs, enter the App Services authentication callback URL that corresponds to the deployment region of your application. The following table lists the callback URL for each region:

Region

App Services Authentication Callback URL

Global

https://services.cloud.mongodb.com/api/client/v2.0/auth/callback

Virginia

(us-east-1)

https://us-east-1.aws.services.cloud.mongodb.com/api/client/v2.0/auth/callback

Oregon

(us-west-2)

https://us-west-2.aws.services.cloud.mongodb.com/api/client/v2.0/auth/callback

Ireland

(eu-west-1)

https://eu-west-1.aws.services.cloud.mongodb.com/api/client/v2.0/auth/callback

Frankfurt

(eu-central-1)

https://eu-central-1.aws.services.cloud.mongodb.com/api/client/v2.0/auth/callback

Mumbai

(ap-south-1)

https://ap-south-1.aws.services.cloud.mongodb.com/api/client/v2.0/auth/callback

Singapore

(ap-southeast-1)

https://ap-southeast-1.aws.services.cloud.mongodb.com/api/client/v2.0/auth/callback

Sydney

(ap-southeast-2)

https://ap-southeast-2.aws.services.cloud.mongodb.com/api/client/v2.0/auth/callback

Configure the Google Authentication Provider

To connect your GCP project to App Services add the OAuth 2.0 Client ID and Client Secret you generated in the previous step to your authentication provider configuration.

Note

Make sure that you add the web application credentials to the provider configuration. If you add the iOS credentials instead, Google authentication will fail.

Configure in App Services

You can enable and configure the Google authentication provider from the App Services UI by selecting Google from the Authentication page.

To enable and configure the Google authentication provider with the App Services CLI, define a configuration object for it in /auth/providers.json.

Google provider configurations have the following form:

/auth/providers.json

{
  "oauth2-google": {
    "name": "oauth2-google",
    "type": "oauth2-google",
    "disabled": <boolean>,
    "config": {
      "clientId": <string>,
      "openId": <boolean>
    },
    "secret_config": {
      "clientSecret": <string>
    },
    "metadata_fields": [<document>, ...],
    "redirect_uris": [<string>, ...],
    "domain_restrictions": [<string>, ...]
  }
}

The Google authentication provider has the following configuration options:

Field

Description

Client ID

config.clientId

Required. An OAuth 2.0 Client ID for your project in the Google API Console.

See Set Up a Project in the Google API Console for information about setting up OAuth Credentials for your GCP project.

Client Secret

secret_config.clientSecret

Required. The name of a Secret that stores an OAuth 2.0 Client Secret for your project from the Google API Console.

See Set Up a Project in the Google API Console for information about setting up OAuth Credentials for your GCP project.

Metadata Fields

metadata_fields

Optional. A list of fields describing the authenticated user that your application will request from the Google Identity API.

All metadata fields are omitted by default and can be required on a field-by-field basis. Users must explicitly grant your app permission to access each required field. If a metadata field is required and exists for a particular user, it will be included in their user object.

To require a metadata field from an import/export configuration file, add an entry for the field to the metadata_fields array. Each entry should be a document of the following form:

{ name: "<metadata field name>", required: "<boolean>" }

Redirect URIs

redirect_uris

Required for web applications. A list of allowed redirect URIs.

Once a user completes the authentication process on Google, App Services redirects them back to either a specified redirect URI or, if no redirect URI is specified, the URL that they initiated the authentication request from. App Services will only redirect a user to a URI that exactly matches an entry in this list, including the protocol and any trailing slashes.

Domain Restrictions

domain_restrictions

Optional. A list of approved domains for user accounts.

If specified, the provider checks the domain of a user's primary email address on Google and only allows them to authenticate if the domain matches an entry in this list.

For example, if example1.com and example2.com are listed, a Google user with a primary email of joe.mango@example1.com would be allowed to log in, while a user with a primary email of joe.mango@example3.com would not be allowed to log in.

Note

If you've specified any domain restrictions, you must also require the email address field in the Metadata Fields setting.

OpenID Connect

config.openId

Optional. Default false.

If true, the provider uses OpenID Connect to authenticate users.

Important

OpenID Connect Support Varies by SDK

Refer to SDK-specific documentation about support for OpenID Connect. Not all SDK implementations of Google Authentication support OpenID Connect, while others require it.

Note

OpenID Connect Does Not Support Metadata Fields

Google supports OpenID as part of their OAuth 2.0 implementation but does not provide access to restricted scopes for OpenID authentication. This means that App Services cannot access metadata fields for users authenticated with OpenID Connect.

Examples

For code examples that demonstrate how to register and log in using Google authentication, see the documentation for the Realm SDKs:

Back

Facebook

Apple ID