CINXE.COM
OpenID Connect | Authentication | Google for Developers
<!doctype html> <html lang="en" dir="ltr"> <head> <meta name="google-signin-client-id" content="721724668570-nbkv1cfusk7kk4eni4pjvepaus73b13t.apps.googleusercontent.com"> <meta name="google-signin-scope" content="profile email https://www.googleapis.com/auth/developerprofiles https://www.googleapis.com/auth/developerprofiles.award"> <meta property="og:site_name" content="Google for Developers"> <meta property="og:type" content="website"><meta name="theme-color" content="#009688"><meta charset="utf-8"> <meta content="IE=Edge" http-equiv="X-UA-Compatible"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="manifest" href="/_pwa/developers/manifest.json" crossorigin="use-credentials"> <link rel="preconnect" href="//www.gstatic.com" crossorigin> <link rel="preconnect" href="//fonts.gstatic.com" crossorigin> <link rel="preconnect" href="//fonts.googleapis.com" crossorigin> <link rel="preconnect" href="//apis.google.com" crossorigin> <link rel="preconnect" href="//www.google-analytics.com" crossorigin><link rel="stylesheet" href="//fonts.googleapis.com/css?family=Google+Sans:400,500|Roboto:400,400italic,500,500italic,700,700italic|Roboto+Mono:400,500,700&display=swap"> <link rel="stylesheet" href="//fonts.googleapis.com/css2?family=Material+Icons&family=Material+Symbols+Outlined&display=block"><link rel="stylesheet" href="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/css/app.css"> <link rel="shortcut icon" href="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/favicon-new.png"> <link rel="apple-touch-icon" href="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/touchicon-180-new.png"><link rel="canonical" href="https://developers.google.com/identity/openid-connect/openid-connect"><link rel="search" type="application/opensearchdescription+xml" title="Google for Developers" href="https://developers.google.com/s/opensearch.xml"> <link rel="alternate" hreflang="en" href="https://developers.google.com/identity/openid-connect/openid-connect" /><link rel="alternate" hreflang="x-default" href="https://developers.google.com/identity/openid-connect/openid-connect" /><link rel="alternate" hreflang="ar" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=ar" /><link rel="alternate" hreflang="bn" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=bn" /><link rel="alternate" hreflang="zh-Hans" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=zh-cn" /><link rel="alternate" hreflang="zh-Hant" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=zh-tw" /><link rel="alternate" hreflang="fa" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=fa" /><link rel="alternate" hreflang="fr" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=fr" /><link rel="alternate" hreflang="de" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=de" /><link rel="alternate" hreflang="he" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=he" /><link rel="alternate" hreflang="hi" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=hi" /><link rel="alternate" hreflang="id" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=id" /><link rel="alternate" hreflang="it" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=it" /><link rel="alternate" hreflang="ja" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=ja" /><link rel="alternate" hreflang="ko" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=ko" /><link rel="alternate" hreflang="pl" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=pl" /><link rel="alternate" hreflang="pt-BR" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=pt-br" /><link rel="alternate" hreflang="ru" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=ru" /><link rel="alternate" hreflang="es-419" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=es-419" /><link rel="alternate" hreflang="th" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=th" /><link rel="alternate" hreflang="tr" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=tr" /><link rel="alternate" hreflang="vi" href="https://developers.google.com/identity/openid-connect/openid-connect?hl=vi" /><title>OpenID Connect | Authentication | Google for Developers</title> <meta property="og:title" content="OpenID Connect | Authentication | Google for Developers"><meta property="og:url" content="https://developers.google.com/identity/openid-connect/openid-connect"><meta property="og:image" content="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/opengraph/teal.png"> <meta property="og:image:width" content="1200"> <meta property="og:image:height" content="675"><meta property="og:locale" content="en"><meta name="twitter:card" content="summary_large_image"><script type="application/ld+json"> { "@context": "https://schema.org", "@type": "Article", "headline": "OpenID Connect" } </script><script type="application/ld+json"> { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [{ "@type": "ListItem", "position": 1, "name": "Google Identity", "item": "https://developers.google.com/identity" },{ "@type": "ListItem", "position": 2, "name": "Authentication", "item": "https://developers.google.com/identity/authentication" },{ "@type": "ListItem", "position": 3, "name": "OpenID Connect", "item": "https://developers.google.com/identity/openid-connect/openid-connect" }] } </script> <link rel="stylesheet" href="/extras.css"></head> <body class="" template="page" theme="teal" type="article" layout="docs" concierge='closed' display-toc pending> <devsite-progress type="indeterminate" id="app-progress"></devsite-progress> <section class="devsite-wrapper"> <devsite-cookie-notification-bar></devsite-cookie-notification-bar><devsite-header role="banner"> <div class="devsite-header--inner nocontent"> <div class="devsite-top-logo-row-wrapper-wrapper"> <div class="devsite-top-logo-row-wrapper"> <div class="devsite-top-logo-row"> <button type="button" id="devsite-hamburger-menu" class="devsite-header-icon-button button-flat material-icons gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Navigation menu button" visually-hidden aria-label="Open menu"> </button> <div class="devsite-product-name-wrapper"> <span class="devsite-product-name"> <ul class="devsite-breadcrumb-list" > <li class="devsite-breadcrumb-item devsite-has-google-wordmark"> <a href="https://developers.google.com/identity" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Upper Header" data-value="1" track-type="globalNav" track-name="breadcrumb" track-metadata-position="1" track-metadata-eventdetail="Google Identity" > <svg class="devsite-google-wordmark" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 148 48"> <title>Google</title> <path class="devsite-google-wordmark-svg-path" d="M19.58,37.65c-9.87,0-18.17-8.04-18.17-17.91c0-9.87,8.3-17.91,18.17-17.91c5.46,0,9.35,2.14,12.27,4.94l-3.45,3.45c-2.1-1.97-4.93-3.49-8.82-3.49c-7.21,0-12.84,5.81-12.84,13.02c0,7.21,5.64,13.02,12.84,13.02c4.67,0,7.34-1.88,9.04-3.58c1.4-1.4,2.32-3.41,2.66-6.16H19.58v-4.89h16.47c0.18,0.87,0.26,1.92,0.26,3.06c0,3.67-1.01,8.21-4.24,11.44C28.93,35.9,24.91,37.65,19.58,37.65z M61.78,26.12c0,6.64-5.1,11.53-11.36,11.53s-11.36-4.89-11.36-11.53c0-6.68,5.1-11.53,11.36-11.53S61.78,19.43,61.78,26.12z M56.8,26.12c0-4.15-2.96-6.99-6.39-6.99c-3.43,0-6.39,2.84-6.39,6.99c0,4.11,2.96,6.99,6.39,6.99C53.84,33.11,56.8,30.22,56.8,26.12z M87.25,26.12c0,6.64-5.1,11.53-11.36,11.53c-6.26,0-11.36-4.89-11.36-11.53c0-6.68,5.1-11.53,11.36-11.53C82.15,14.59,87.25,19.43,87.25,26.12zM82.28,26.12c0-4.15-2.96-6.99-6.39-6.99c-3.43,0-6.39,2.84-6.39,6.99c0,4.11,2.96,6.99,6.39,6.99C79.32,33.11,82.28,30.22,82.28,26.12z M112.09,15.29v20.7c0,8.52-5.02,12.01-10.96,12.01c-5.59,0-8.95-3.76-10.22-6.81l4.41-1.83c0.79,1.88,2.71,4.1,5.81,4.1c3.8,0,6.16-2.36,6.16-6.77v-1.66h-0.18c-1.14,1.4-3.32,2.62-6.07,2.62c-5.76,0-11.05-5.02-11.05-11.49c0-6.51,5.28-11.57,11.05-11.57c2.75,0,4.93,1.22,6.07,2.58h0.18v-1.88H112.09z M107.64,26.16c0-4.06-2.71-7.03-6.16-7.03c-3.49,0-6.42,2.97-6.42,7.03c0,4.02,2.93,6.94,6.42,6.94C104.93,33.11,107.64,30.18,107.64,26.16z M120.97,3.06v33.89h-5.07V3.06H120.97z M140.89,29.92l3.93,2.62c-1.27,1.88-4.32,5.11-9.61,5.11c-6.55,0-11.28-5.07-11.28-11.53c0-6.86,4.77-11.53,10.71-11.53c5.98,0,8.91,4.76,9.87,7.34l0.52,1.31l-15.42,6.38c1.18,2.31,3.01,3.49,5.59,3.49C137.79,33.11,139.58,31.84,140.89,29.92zM128.79,25.77l10.31-4.28c-0.57-1.44-2.27-2.45-4.28-2.45C132.24,19.04,128.66,21.31,128.79,25.77z"/> </svg>Identity </a> </li> </ul> </span> </div> <div class="devsite-top-logo-row-middle"> <div class="devsite-header-upper-tabs"> <devsite-tabs class="upper-tabs"> <nav class="devsite-tabs-wrapper" aria-label="Upper tabs"> <tab class="devsite-dropdown devsite-active "> <a href="https://developers.google.com/identity/authentication" track-metadata-eventdetail="https://developers.google.com/identity/authentication" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - authentication" track-metadata-module="primary nav" aria-label="Authentication, selected" data-category="Site-Wide Custom Events" data-label="Tab: Authentication" track-name="authentication" > Authentication </a> <a href="#" role="button" aria-haspopup="true" aria-expanded="false" aria-label="Dropdown menu for Authentication" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/authentication" track-metadata-position="nav - authentication" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Authentication" track-name="authentication" class="devsite-tabs-dropdown-toggle devsite-icon devsite-icon-arrow-drop-down"></a> <div class="devsite-tabs-dropdown" aria-label="submenu" hidden> <div class="devsite-tabs-dropdown-content"> <div class="devsite-tabs-dropdown-column "> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Sign In with Google SDKs</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/android-credential-manager" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/android-credential-manager" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> Credential Manager for Android </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/gsi/web/guides/overview" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/gsi/web/guides/overview" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> Sign In with Google for Web (including One Tap) </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/sign-in/ios/start" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/sign-in/ios/start" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> Google Sign-In for iOS and macOS </div> </a> </li> </ul> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Industry standards</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/passkeys" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/passkeys" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> Passkeys </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/openid-connect/openid-connect" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/openid-connect/openid-connect" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> OpenID Connect </div> </a> </li> </ul> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Legacy Sign In</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/one-tap/android/overview" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/one-tap/android/overview" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> One Tap sign-up/sign-in for Android </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/sign-in/android/legacy-start-integrating" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/sign-in/android/legacy-start-integrating" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> Google Sign-In for Android </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/sign-in/web/sign-in" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/sign-in/web/sign-in" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> Google Sign-In for Web </div> </a> </li> </ul> </div> </div> </div> </tab> <tab class="devsite-dropdown "> <a href="https://developers.google.com/identity/authorization" track-metadata-eventdetail="https://developers.google.com/identity/authorization" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - authorization" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Authorization" track-name="authorization" > Authorization </a> <a href="#" role="button" aria-haspopup="true" aria-expanded="false" aria-label="Dropdown menu for Authorization" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/authorization" track-metadata-position="nav - authorization" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Authorization" track-name="authorization" class="devsite-tabs-dropdown-toggle devsite-icon devsite-icon-arrow-drop-down"></a> <div class="devsite-tabs-dropdown" aria-label="submenu" hidden> <div class="devsite-tabs-dropdown-content"> <div class="devsite-tabs-dropdown-column "> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Call Google APIs</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/sign-in/android/authorize-access" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/sign-in/android/authorize-access" track-metadata-position="nav - authorization" track-metadata-module="tertiary nav" track-metadata-module_headline="call google apis" tooltip > <div class="devsite-nav-item-title"> Authorizing for Android </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/oauth2/web/guides/overview" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/oauth2/web/guides/overview" track-metadata-position="nav - authorization" track-metadata-module="tertiary nav" track-metadata-module_headline="call google apis" tooltip > <div class="devsite-nav-item-title"> Authorizing for Web </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/sign-in/ios/api-access" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/sign-in/ios/api-access" track-metadata-position="nav - authorization" track-metadata-module="tertiary nav" track-metadata-module_headline="call google apis" tooltip > <div class="devsite-nav-item-title"> Authorizing for iOS/macOS </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/protocols/oauth2" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/protocols/oauth2" track-metadata-position="nav - authorization" track-metadata-module="tertiary nav" track-metadata-module_headline="call google apis" tooltip > <div class="devsite-nav-item-title"> Using OAuth 2.0 </div> </a> </li> </ul> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Share data with Google apps and devices</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/account-linking" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/account-linking" track-metadata-position="nav - authorization" track-metadata-module="tertiary nav" track-metadata-module_headline="call google apis" tooltip > <div class="devsite-nav-item-title"> Google Account Linking </div> </a> </li> </ul> </div> </div> </div> </tab> <tab class="devsite-dropdown "> <a href="https://developers.google.com/identity/credential-management" track-metadata-eventdetail="https://developers.google.com/identity/credential-management" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - credential management" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Credential management" track-name="credential management" > Credential management </a> <a href="#" role="button" aria-haspopup="true" aria-expanded="false" aria-label="Dropdown menu for Credential management" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/credential-management" track-metadata-position="nav - credential management" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Credential management" track-name="credential management" class="devsite-tabs-dropdown-toggle devsite-icon devsite-icon-arrow-drop-down"></a> <div class="devsite-tabs-dropdown" aria-label="submenu" hidden> <div class="devsite-tabs-dropdown-content"> <div class="devsite-tabs-dropdown-column "> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Android</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/android-credential-manager" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/android-credential-manager" track-metadata-position="nav - credential management" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Credential Manager </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/blockstore/android" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/blockstore/android" track-metadata-position="nav - credential management" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Blockstore </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/smartlock-passwords/android/associate-apps-and-sites" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/smartlock-passwords/android/associate-apps-and-sites" track-metadata-position="nav - credential management" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Digital Asset Links </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developer.android.com/guide/topics/text/autofill" track-type="nav" track-metadata-eventdetail="https://developer.android.com/guide/topics/text/autofill" track-metadata-position="nav - credential management" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Android autofill framework </div> </a> </li> </ul> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Web</li> <li class="devsite-nav-item"> <a href="https://web.dev/sign-in-form-best-practices/" track-type="nav" track-metadata-eventdetail="https://web.dev/sign-in-form-best-practices/" track-metadata-position="nav - credential management" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Autocomplete </div> </a> </li> </ul> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Cross-platform</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/credential-sharing" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/credential-sharing" track-metadata-position="nav - credential management" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Seamless credential sharing </div> </a> </li> </ul> </div> </div> </div> </tab> <tab class="devsite-dropdown "> <a href="https://developers.google.com/identity/credential-verification" track-metadata-eventdetail="https://developers.google.com/identity/credential-verification" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - credential verification" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Credential verification" track-name="credential verification" > Credential verification </a> <a href="#" role="button" aria-haspopup="true" aria-expanded="false" aria-label="Dropdown menu for Credential verification" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/credential-verification" track-metadata-position="nav - credential verification" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Credential verification" track-name="credential verification" class="devsite-tabs-dropdown-toggle devsite-icon devsite-icon-arrow-drop-down"></a> <div class="devsite-tabs-dropdown" aria-label="submenu" hidden> <div class="devsite-tabs-dropdown-content"> <div class="devsite-tabs-dropdown-column "> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Android</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/sms-retriever/overview" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/sms-retriever/overview" track-metadata-position="nav - credential verification" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Verify users by SMS </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/phone-number-hint/android" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/phone-number-hint/android" track-metadata-position="nav - credential verification" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Phone Number Hint </div> </a> </li> </ul> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Web</li> <li class="devsite-nav-item"> <a href="https://web.dev/web-otp/" track-type="nav" track-metadata-eventdetail="https://web.dev/web-otp/" track-metadata-position="nav - credential verification" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Verify phone numbers on the web </div> </a> </li> </ul> </div> </div> </div> </tab> </nav> </devsite-tabs> </div> <devsite-search enable-signin enable-search enable-suggestions enable-query-completion project-name="Authentication" tenant-name="Google for Developers" project-scope="/identity/authentication" url-scoped="https://developers.google.com/s/results/identity/authentication" > <form class="devsite-search-form" action="https://developers.google.com/s/results" method="GET"> <div class="devsite-search-container"> <button type="button" search-open class="devsite-search-button devsite-header-icon-button button-flat material-icons" aria-label="Open search"></button> <div class="devsite-searchbox"> <input aria-activedescendant="" aria-autocomplete="list" aria-label="Search" aria-expanded="false" aria-haspopup="listbox" autocomplete="off" class="devsite-search-field devsite-search-query" name="q" placeholder="Search" role="combobox" type="text" value="" > <div class="devsite-search-image material-icons" aria-hidden="true"> </div> <div class="devsite-search-shortcut-icon-container" aria-hidden="true"> <kbd class="devsite-search-shortcut-icon">/</kbd> </div> </div> </div> </form> <button type="button" search-close class="devsite-search-button devsite-header-icon-button button-flat material-icons" aria-label="Close search"></button> </devsite-search> </div> <devsite-language-selector> <ul role="presentation"> <li role="presentation"> <a role="menuitem" lang="en" >English</a> </li> <li role="presentation"> <a role="menuitem" lang="de" >Deutsch</a> </li> <li role="presentation"> <a role="menuitem" lang="es" >Español</a> </li> <li role="presentation"> <a role="menuitem" lang="es_419" >Español – América Latina</a> </li> <li role="presentation"> <a role="menuitem" lang="fr" >Français</a> </li> <li role="presentation"> <a role="menuitem" lang="id" >Indonesia</a> </li> <li role="presentation"> <a role="menuitem" lang="it" >Italiano</a> </li> <li role="presentation"> <a role="menuitem" lang="pl" >Polski</a> </li> <li role="presentation"> <a role="menuitem" lang="pt_br" >Português – Brasil</a> </li> <li role="presentation"> <a role="menuitem" lang="vi" >Tiếng Việt</a> </li> <li role="presentation"> <a role="menuitem" lang="tr" >Türkçe</a> </li> <li role="presentation"> <a role="menuitem" lang="ru" >Русский</a> </li> <li role="presentation"> <a role="menuitem" lang="he" >עברית</a> </li> <li role="presentation"> <a role="menuitem" lang="ar" >العربيّة</a> </li> <li role="presentation"> <a role="menuitem" lang="fa" >فارسی</a> </li> <li role="presentation"> <a role="menuitem" lang="hi" >हिंदी</a> </li> <li role="presentation"> <a role="menuitem" lang="bn" >বাংলা</a> </li> <li role="presentation"> <a role="menuitem" lang="th" >ภาษาไทย</a> </li> <li role="presentation"> <a role="menuitem" lang="zh_cn" >中文 – 简体</a> </li> <li role="presentation"> <a role="menuitem" lang="zh_tw" >中文 – 繁體</a> </li> <li role="presentation"> <a role="menuitem" lang="ja" >日本語</a> </li> <li role="presentation"> <a role="menuitem" lang="ko" >한국어</a> </li> </ul> </devsite-language-selector> <devsite-user enable-profiles fp-auth id="devsite-user"> <span class="button devsite-top-button" aria-hidden="true" visually-hidden>Sign in</span> </devsite-user> </div> </div> </div> <div class="devsite-collapsible-section "> <div class="devsite-header-background"> <div class="devsite-product-id-row" > <div class="devsite-product-description-row"> <ul class="devsite-breadcrumb-list" > <li class="devsite-breadcrumb-item "> <a href="https://developers.google.com/identity/authentication" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Lower Header" data-value="1" track-type="globalNav" track-name="breadcrumb" track-metadata-position="1" track-metadata-eventdetail="Authentication" > Authentication </a> </li> </ul> </div> </div> <div class="devsite-doc-set-nav-row"> <devsite-tabs class="lower-tabs"> <nav class="devsite-tabs-wrapper" aria-label="Lower tabs"> <tab > <a href="https://developers.google.com/identity/android-credential-manager" track-metadata-eventdetail="https://developers.google.com/identity/android-credential-manager" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - credential manager for android" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Credential Manager for Android" track-name="credential manager for android" > Credential Manager for Android </a> </tab> <tab > <a href="https://developers.google.com/identity/gsi/web/guides/overview" track-metadata-eventdetail="https://developers.google.com/identity/gsi/web/guides/overview" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - sign in with google for web" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Sign In with Google for Web" track-name="sign in with google for web" > Sign In with Google for Web </a> </tab> <tab > <a href="https://developers.google.com/identity/sign-in/ios/start-integrating" track-metadata-eventdetail="https://developers.google.com/identity/sign-in/ios/start-integrating" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - google sign-in for ios and macos" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Google Sign-In for iOS and macOS" track-name="google sign-in for ios and macos" > Google Sign-In for iOS and macOS </a> </tab> <tab > <a href="https://developers.google.com/identity/passkeys" track-metadata-eventdetail="https://developers.google.com/identity/passkeys" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - passkeys" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Passkeys" track-name="passkeys" > Passkeys </a> </tab> <tab class="devsite-active"> <a href="https://developers.google.com/identity/openid-connect/openid-connect" track-metadata-eventdetail="https://developers.google.com/identity/openid-connect/openid-connect" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - openid connect" track-metadata-module="primary nav" aria-label="OpenID Connect, selected" data-category="Site-Wide Custom Events" data-label="Tab: OpenID Connect" track-name="openid connect" > OpenID Connect </a> </tab> </nav> </devsite-tabs> </div> </div> </div> </div> </devsite-header> <devsite-book-nav scrollbars hidden> <div class="devsite-book-nav-filter" hidden> <span class="filter-list-icon material-icons" aria-hidden="true"></span> <input type="text" placeholder="Filter" aria-label="Type to filter" role="searchbox"> <span class="filter-clear-button hidden" data-title="Clear filter" aria-label="Clear filter" role="button" tabindex="0"></span> </div> <nav class="devsite-book-nav devsite-nav nocontent" aria-label="Side menu"> <div class="devsite-mobile-header"> <button type="button" id="devsite-close-nav" class="devsite-header-icon-button button-flat material-icons gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Close navigation" aria-label="Close navigation"> </button> <div class="devsite-product-name-wrapper"> <span class="devsite-product-name"> <ul class="devsite-breadcrumb-list" > <li class="devsite-breadcrumb-item devsite-has-google-wordmark"> <a href="https://developers.google.com/identity" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Upper Header" data-value="1" track-type="globalNav" track-name="breadcrumb" track-metadata-position="1" track-metadata-eventdetail="Google Identity" > <svg class="devsite-google-wordmark" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 148 48"> <title>Google</title> <path class="devsite-google-wordmark-svg-path" d="M19.58,37.65c-9.87,0-18.17-8.04-18.17-17.91c0-9.87,8.3-17.91,18.17-17.91c5.46,0,9.35,2.14,12.27,4.94l-3.45,3.45c-2.1-1.97-4.93-3.49-8.82-3.49c-7.21,0-12.84,5.81-12.84,13.02c0,7.21,5.64,13.02,12.84,13.02c4.67,0,7.34-1.88,9.04-3.58c1.4-1.4,2.32-3.41,2.66-6.16H19.58v-4.89h16.47c0.18,0.87,0.26,1.92,0.26,3.06c0,3.67-1.01,8.21-4.24,11.44C28.93,35.9,24.91,37.65,19.58,37.65z M61.78,26.12c0,6.64-5.1,11.53-11.36,11.53s-11.36-4.89-11.36-11.53c0-6.68,5.1-11.53,11.36-11.53S61.78,19.43,61.78,26.12z M56.8,26.12c0-4.15-2.96-6.99-6.39-6.99c-3.43,0-6.39,2.84-6.39,6.99c0,4.11,2.96,6.99,6.39,6.99C53.84,33.11,56.8,30.22,56.8,26.12z M87.25,26.12c0,6.64-5.1,11.53-11.36,11.53c-6.26,0-11.36-4.89-11.36-11.53c0-6.68,5.1-11.53,11.36-11.53C82.15,14.59,87.25,19.43,87.25,26.12zM82.28,26.12c0-4.15-2.96-6.99-6.39-6.99c-3.43,0-6.39,2.84-6.39,6.99c0,4.11,2.96,6.99,6.39,6.99C79.32,33.11,82.28,30.22,82.28,26.12z M112.09,15.29v20.7c0,8.52-5.02,12.01-10.96,12.01c-5.59,0-8.95-3.76-10.22-6.81l4.41-1.83c0.79,1.88,2.71,4.1,5.81,4.1c3.8,0,6.16-2.36,6.16-6.77v-1.66h-0.18c-1.14,1.4-3.32,2.62-6.07,2.62c-5.76,0-11.05-5.02-11.05-11.49c0-6.51,5.28-11.57,11.05-11.57c2.75,0,4.93,1.22,6.07,2.58h0.18v-1.88H112.09z M107.64,26.16c0-4.06-2.71-7.03-6.16-7.03c-3.49,0-6.42,2.97-6.42,7.03c0,4.02,2.93,6.94,6.42,6.94C104.93,33.11,107.64,30.18,107.64,26.16z M120.97,3.06v33.89h-5.07V3.06H120.97z M140.89,29.92l3.93,2.62c-1.27,1.88-4.32,5.11-9.61,5.11c-6.55,0-11.28-5.07-11.28-11.53c0-6.86,4.77-11.53,10.71-11.53c5.98,0,8.91,4.76,9.87,7.34l0.52,1.31l-15.42,6.38c1.18,2.31,3.01,3.49,5.59,3.49C137.79,33.11,139.58,31.84,140.89,29.92zM128.79,25.77l10.31-4.28c-0.57-1.44-2.27-2.45-4.28-2.45C132.24,19.04,128.66,21.31,128.79,25.77z"/> </svg>Identity </a> </li> </ul> </span> </div> </div> <div class="devsite-book-nav-wrapper"> <div class="devsite-mobile-nav-top"> <ul class="devsite-nav-list"> <li class="devsite-nav-item"> <a href="/identity/authentication" class="devsite-nav-title gc-analytics-event devsite-nav-active" data-category="Site-Wide Custom Events" data-label="Tab: Authentication" track-name="authentication" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Authentication" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Authentication </span> </a> <ul class="devsite-nav-responsive-tabs devsite-nav-has-menu "> <li class="devsite-nav-item"> <span class="devsite-nav-title" tooltip data-category="Site-Wide Custom Events" data-label="Tab: Authentication" track-name="authentication" > <span class="devsite-nav-text" tooltip menu="Authentication"> More </span> <span class="devsite-nav-icon material-icons" data-icon="forward" menu="Authentication"> </span> </span> </li> </ul> <ul class="devsite-nav-responsive-tabs"> <li class="devsite-nav-item"> <a href="/identity/android-credential-manager" class="devsite-nav-title gc-analytics-event devsite-nav-has-children " data-category="Site-Wide Custom Events" data-label="Tab: Credential Manager for Android" track-name="credential manager for android" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Credential Manager for Android" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Credential Manager for Android </span> <span class="devsite-nav-icon material-icons" data-icon="forward" > </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/gsi/web/guides/overview" class="devsite-nav-title gc-analytics-event devsite-nav-has-children " data-category="Site-Wide Custom Events" data-label="Tab: Sign In with Google for Web" track-name="sign in with google for web" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Sign In with Google for Web" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Sign In with Google for Web </span> <span class="devsite-nav-icon material-icons" data-icon="forward" > </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/sign-in/ios/start-integrating" class="devsite-nav-title gc-analytics-event devsite-nav-has-children " data-category="Site-Wide Custom Events" data-label="Tab: Google Sign-In for iOS and macOS" track-name="google sign-in for ios and macos" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Sign-In for iOS and macOS" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Sign-In for iOS and macOS </span> <span class="devsite-nav-icon material-icons" data-icon="forward" > </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/passkeys" class="devsite-nav-title gc-analytics-event devsite-nav-has-children " data-category="Site-Wide Custom Events" data-label="Tab: Passkeys" track-name="passkeys" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Passkeys" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Passkeys </span> <span class="devsite-nav-icon material-icons" data-icon="forward" > </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/openid-connect/openid-connect" class="devsite-nav-title gc-analytics-event devsite-nav-active" data-category="Site-Wide Custom Events" data-label="Tab: OpenID Connect" track-name="openid connect" data-category="Site-Wide Custom Events" data-label="Responsive Tab: OpenID Connect" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > OpenID Connect </span> </a> </li> </ul> </li> <li class="devsite-nav-item"> <a href="/identity/authorization" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Tab: Authorization" track-name="authorization" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Authorization" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Authorization </span> </a> <ul class="devsite-nav-responsive-tabs devsite-nav-has-menu "> <li class="devsite-nav-item"> <span class="devsite-nav-title" tooltip data-category="Site-Wide Custom Events" data-label="Tab: Authorization" track-name="authorization" > <span class="devsite-nav-text" tooltip menu="Authorization"> More </span> <span class="devsite-nav-icon material-icons" data-icon="forward" menu="Authorization"> </span> </span> </li> </ul> </li> <li class="devsite-nav-item"> <a href="/identity/credential-management" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Tab: Credential management" track-name="credential management" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Credential management" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Credential management </span> </a> <ul class="devsite-nav-responsive-tabs devsite-nav-has-menu "> <li class="devsite-nav-item"> <span class="devsite-nav-title" tooltip data-category="Site-Wide Custom Events" data-label="Tab: Credential management" track-name="credential management" > <span class="devsite-nav-text" tooltip menu="Credential management"> More </span> <span class="devsite-nav-icon material-icons" data-icon="forward" menu="Credential management"> </span> </span> </li> </ul> </li> <li class="devsite-nav-item"> <a href="/identity/credential-verification" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Tab: Credential verification" track-name="credential verification" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Credential verification" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Credential verification </span> </a> <ul class="devsite-nav-responsive-tabs devsite-nav-has-menu "> <li class="devsite-nav-item"> <span class="devsite-nav-title" tooltip data-category="Site-Wide Custom Events" data-label="Tab: Credential verification" track-name="credential verification" > <span class="devsite-nav-text" tooltip menu="Credential verification"> More </span> <span class="devsite-nav-icon material-icons" data-icon="forward" menu="Credential verification"> </span> </span> </li> </ul> </li> </ul> </div> <div class="devsite-mobile-nav-bottom"> <ul class="devsite-nav-list" menu="Authentication" aria-label="Side menu" hidden> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Sign In with Google SDKs </span> </span> </li> <li class="devsite-nav-item"> <a href="/identity/android-credential-manager" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Credential Manager for Android" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Credential Manager for Android </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/gsi/web/guides/overview" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Sign In with Google for Web (including One Tap)" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Sign In with Google for Web (including One Tap) </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/sign-in/ios/start" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Sign-In for iOS and macOS" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Sign-In for iOS and macOS </span> </a> </li> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Industry standards </span> </span> </li> <li class="devsite-nav-item"> <a href="/identity/passkeys" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Passkeys" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Passkeys </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/openid-connect/openid-connect" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: OpenID Connect" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > OpenID Connect </span> </a> </li> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Legacy Sign In </span> </span> </li> <li class="devsite-nav-item"> <a href="/identity/one-tap/android/overview" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: One Tap sign-up/sign-in for Android" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > One Tap sign-up/sign-in for Android </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/sign-in/android/legacy-start-integrating" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Sign-In for Android" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Sign-In for Android </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/sign-in/web/sign-in" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Sign-In for Web" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Sign-In for Web </span> </a> </li> </ul> <ul class="devsite-nav-list" menu="Authorization" aria-label="Side menu" hidden> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Call Google APIs </span> </span> </li> <li class="devsite-nav-item"> <a href="/identity/sign-in/android/authorize-access" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Authorizing for Android" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Authorizing for Android </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/oauth2/web/guides/overview" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Authorizing for Web" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Authorizing for Web </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/sign-in/ios/api-access" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Authorizing for iOS/macOS" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Authorizing for iOS/macOS </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/protocols/oauth2" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Using OAuth 2.0" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Using OAuth 2.0 </span> </a> </li> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Share data with Google apps and devices </span> </span> </li> <li class="devsite-nav-item"> <a href="/identity/account-linking" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Account Linking" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Account Linking </span> </a> </li> </ul> <ul class="devsite-nav-list" menu="Credential management" aria-label="Side menu" hidden> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Android </span> </span> </li> <li class="devsite-nav-item"> <a href="/identity/android-credential-manager" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Credential Manager" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Credential Manager </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/blockstore/android" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Blockstore" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Blockstore </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/smartlock-passwords/android/associate-apps-and-sites" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Digital Asset Links" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Digital Asset Links </span> </a> </li> <li class="devsite-nav-item"> <a href="https://developer.android.com/guide/topics/text/autofill" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Android autofill framework" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Android autofill framework </span> </a> </li> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Web </span> </span> </li> <li class="devsite-nav-item"> <a href="https://web.dev/sign-in-form-best-practices/" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Autocomplete" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Autocomplete </span> </a> </li> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Cross-platform </span> </span> </li> <li class="devsite-nav-item"> <a href="/identity/credential-sharing" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Seamless credential sharing" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Seamless credential sharing </span> </a> </li> </ul> <ul class="devsite-nav-list" menu="Credential verification" aria-label="Side menu" hidden> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Android </span> </span> </li> <li class="devsite-nav-item"> <a href="/identity/sms-retriever/overview" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Verify users by SMS" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Verify users by SMS </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/phone-number-hint/android" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Phone Number Hint" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Phone Number Hint </span> </a> </li> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Web </span> </span> </li> <li class="devsite-nav-item"> <a href="https://web.dev/web-otp/" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Verify phone numbers on the web" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Verify phone numbers on the web </span> </a> </li> </ul> </div> </div> </nav> </devsite-book-nav> <section id="gc-wrapper"> <main role="main" class="devsite-main-content" > <devsite-content> <article class="devsite-article"> <div class="devsite-article-meta nocontent" role="navigation"> <ul class="devsite-breadcrumb-list" aria-label="Breadcrumb"> <li class="devsite-breadcrumb-item "> <a href="https://developers.google.com/" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="1" track-type="globalNav" track-name="breadcrumb" track-metadata-position="1" track-metadata-eventdetail="" > Home </a> </li> <li class="devsite-breadcrumb-item "> <div class="devsite-breadcrumb-guillemet material-icons" aria-hidden="true"></div> <a href="https://developers.google.com/products" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="2" track-type="globalNav" track-name="breadcrumb" track-metadata-position="2" track-metadata-eventdetail="" > Products </a> </li> <li class="devsite-breadcrumb-item "> <div class="devsite-breadcrumb-guillemet material-icons" aria-hidden="true"></div> <a href="https://developers.google.com/identity" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="3" track-type="globalNav" track-name="breadcrumb" track-metadata-position="3" track-metadata-eventdetail="Google Identity" > Google Identity </a> </li> <li class="devsite-breadcrumb-item "> <div class="devsite-breadcrumb-guillemet material-icons" aria-hidden="true"></div> <a href="https://developers.google.com/identity/authentication" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="4" track-type="globalNav" track-name="breadcrumb" track-metadata-position="4" track-metadata-eventdetail="Authentication" > Authentication </a> </li> <li class="devsite-breadcrumb-item "> <div class="devsite-breadcrumb-guillemet material-icons" aria-hidden="true"></div> <a href="https://developers.google.com/identity/openid-connect/openid-connect" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="5" track-type="globalNav" track-name="breadcrumb" track-metadata-position="5" track-metadata-eventdetail="" > OpenID Connect </a> </li> </ul> <devsite-thumb-rating position="header"> </devsite-thumb-rating> </div> <devsite-feedback position="header" project-name="Authentication" product-id="5186570" bucket="Identity guides" context="External devsite feedback" version="t-devsite-webserver-20241114-r00-rc02.464922260396498922" data-label="Send Feedback Button" track-type="feedback" track-name="sendFeedbackLink" track-metadata-position="header" class="nocontent" project-icon="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/touchicon-180-new.png" > <button> Send feedback </button> </devsite-feedback> <h1 class="devsite-page-title" tabindex="-1"> OpenID Connect </h1> <devsite-feature-tooltip ack-key="AckCollectionsBookmarkTooltipDismiss" analytics-category="Site-Wide Custom Events" analytics-action-show="Callout Profile displayed" analytics-action-close="Callout Profile dismissed" analytics-label="Create Collection Callout" class="devsite-page-bookmark-tooltip nocontent" dismiss-button="true" id="devsite-collections-dropdown" dismiss-button-text="Dismiss" close-button-text="Got it"> <devsite-bookmark></devsite-bookmark> <span slot="popout-heading"> Stay organized with collections </span> <span slot="popout-contents"> Save and categorize content based on your preferences. </span> </devsite-feature-tooltip> <div class="devsite-page-title-meta"><devsite-view-release-notes></devsite-view-release-notes></div> <devsite-toc class="devsite-nav" depth="2" devsite-toc-embedded > </devsite-toc> <div class="devsite-article-body clearfix "> <section> <div class="attempt-right"> <a href="https://openid.net/certification/"> <img src="/static/identity/images/OpenID_Certified.png" alt="Google's OpenID Connect endpoint is OpenID Certified."></a> </div> <p>Google's OAuth 2.0 APIs can be used for both authentication and authorization. This document describes our OAuth 2.0 implementation for authentication, which conforms to the <a href="https://openid.net/connect/" class="external">OpenID Connect</a> specification, and is <a href="https://openid.net/certification/" class="external">OpenID Certified</a>. The documentation found in <a href="/identity/protocols/oauth2">Using OAuth 2.0 to Access Google APIs</a> also applies to this service. If you want to explore this protocol interactively, we recommend the <a href="https://developers.google.com/oauthplayground/">Google OAuth 2.0 Playground</a>. To get help on <a href="https://stackoverflow.com/questions/tagged/google-oauth" class="external" title="Stack Overflow: google-oauth tag">Stack Overflow</a>, tag your questions with 'google-oauth'.</p> <aside class="note"> <a href="/identity/gsi/web" class="attempt-right"> <img src="/static/identity/images/btn_google_signin_light_normal_web.png" alt="Sign in with Google"> </a> <p><b>Note:</b> To provide a "Sign-in with Google" button for your website, Use <a href="/identity/gsi/web">Google Identity Services</a>, our sign-in client library built on the OpenID Connect protocol. This library provides OpenID Connect formatted ID Tokens. Native Android apps should use the <a href="https://developer.android.com/training/sign-in/credential-manager">Credential Manager API</a> to implement the Sign in with Google flow.</p> </aside> </section> <section id="registeringyourapp"> <h2 id="appsetup" data-text="Setting up OAuth 2.0" tabindex="-1">Setting up OAuth 2.0</h2> <p>Before your application can use Google's OAuth 2.0 authentication system for user login, you must set up a project in the <a href="https://console.developers.google.com/">Google API Console</a> to obtain OAuth 2.0 credentials, set a redirect URI, and (optionally) customize the branding information that your users see on the user-consent screen. You can also use the API Console to create a service account, enable billing, set up filtering, and do other tasks. For more details, see the <a href="/console/help">Google API Console Help</a>.</p> <h3 id="getcredentials" data-text="Obtain OAuth 2.0 credentials" tabindex="-1">Obtain OAuth 2.0 credentials</h3> <p>You need OAuth 2.0 credentials, including a client ID and client secret, to authenticate users and gain access to Google's APIs.</p> <p>To view the client ID and client secret for a given OAuth 2.0 credential, click the following text: <span class="replaceable-credential" data-devsite-credential-type="oauth">Select credential</span>. In the window that opens, choose your project and the credential you want, then click <b>View</b>.</p> <p>Or, view your client ID and client secret from the <b>Credentials page</b> in API Console:</p> <ol> <li>Go to the <a href="https://console.developers.google.com/apis/credentials">Credentials page</a>.</li> <li>Click the name of your credential or the pencil (<i class="material-icons" aria-hidden="true" translate="no">create</i>) icon. Your client ID and secret are at the top of the page.</li> </ol> <h3 id="setredirecturi" data-text="Set a redirect URI" tabindex="-1">Set a redirect URI</h3> <p>The redirect URI that you set in the API Console determines where Google sends responses to your <a href="#sendauthrequest">authentication requests</a>.</p> <p>To create, view, or edit the redirect URIs for a given OAuth 2.0 credential, do the following:</p> <ol> <li>Go to the <a href="https://console.developers.google.com/apis/credentials">Credentials page</a>.</li> <li>In the <b>OAuth 2.0 client IDs</b> section of the page, click a credential.</li> <li>View or edit the redirect URIs.</li> </ol> <p>If there is no <b>OAuth 2.0 client IDs</b> section on the Credentials page, then your project has no OAuth credentials. To create one, click <b>Create credentials</b>.</p> <h3 id="consentpageexperience" data-text="Customize the user consent screen" tabindex="-1">Customize the user consent screen</h3> <p>For your users, the OAuth 2.0 authentication experience includes a consent screen that describes the information that the user is releasing and the terms that apply. For example, when the user logs in, they might be asked to give your app access to their email address and basic account information. You request access to this information using the <a href="#scope-param"><code translate="no" dir="ltr">scope</code></a> parameter, which your app includes in its <a href="#sendauthrequest">authentication request</a>. You can also use scopes to request access to other Google APIs.</p> <p>The user consent screen also presents branding information such as your product name, logo, and a homepage URL. You control the branding information in the API Console.</p> <p>To enable your project's consent screen:</p> <ol> <li>Open the <a href="https://console.developers.google.com/apis/credentials/consent">Consent Screen page</a> in the Google API Console.</li> <li>If prompted, select a project, or create a new one.</li> <li>Fill out the form and click <b>Save</b>.</li> </ol> <p>The following consent dialog shows what a user would see when a combination of OAuth 2.0 and Google Drive scopes are present in the request. (This generic dialog was generated using the <a href="https://developers.google.com/oauthplayground/">Google OAuth 2.0 Playground</a>, so it does not include branding information that would be set in the API Console.)</p> <div> <figure> <img src="/static/identity/protocols/oauth2/images/examples/scope-authorization.png" alt="Consent page screen shot" class="screenshot"> </figure> </div> <h2 id="accessingtheservice" data-text="Accessing the service" tabindex="-1">Accessing the service</h2> <p>Google and third parties provide libraries that you can use to take care of many of the implementation details of authenticating users and gaining access to Google APIs. Examples include <a href="/identity/gsi/web">Google Identity Services</a> and the <a href="#libraries">Google client libraries</a>, which are available for a variety of platforms.</p> <aside class="note"><b>Note:</b> Given the security implications of getting the implementation correct, we strongly encourage you to take advantage of a pre-written library or service. Authenticating users properly is important to their and your safety and security, and using well-debugged code written by others is generally a best practice. For more information, see <a href="#libraries">Client libraries</a>.</aside> <p>If you choose not to use a library, follow the instructions in the remainder of this document, which describes the HTTP request flows that underly the available libraries.</p> </section> <section> <h2 id="authenticatingtheuser" data-text="Authenticating the user" tabindex="-1">Authenticating the user</h2> <p>Authenticating the user involves obtaining an ID token and validating it. <a href="https://openid.net/specs/openid-connect-core-1_0.html#IDToken" class="external">ID tokens</a> are a standardized feature of <a href="https://openid.net/connect/" class="external">OpenID Connect</a> designed for use in sharing identity assertions on the Internet.</p> <p>The most commonly used approaches for authenticating a user and obtaining an ID token are called the "server" flow and the "implicit" flow. The server flow allows the back-end server of an application to verify the identity of the person using a browser or mobile device. The implicit flow is used when a client-side application (typically a JavaScript app running in the browser) needs to access APIs directly instead of via its back-end server.</p> <p>This document describes how to perform the server flow for authenticating the user. The implicit flow is significantly more complicated because of security risks in handling and using tokens on the client side. If you need to implement an implicit flow, we highly recommend using <a href="/identity/gsi/web">Google Identity Services</a>.</p> <h3 id="server-flow" data-text="Server flow" tabindex="-1">Server flow</h3> <p>Make sure you <a href="#appsetup">set up your app in the API Console</a> to enable it to use these protocols and authenticate your users. When a user tries to log in with Google, you need to:</p> <ol> <li><a href="#createxsrftoken">Create an anti-forgery state token</a> <li><a href="#sendauthrequest">Send an authentication request to Google</a> <li><a href="#confirmxsrftoken">Confirm the anti-forgery state token</a> <li><a href="#exchangecode">Exchange <code translate="no" dir="ltr">code</code> for access token and ID token</a> <li><a href="#obtainuserinfo">Obtain user information from the ID token</a> <li><a href="#authuser">Authenticate the user</a> </ol> <h4 id="createxsrftoken" data-text="1. Create an anti-forgery state token" tabindex="-1">1. Create an anti-forgery state token</h4> <p>You must protect the security of your users by preventing request forgery attacks. The first step is creating a unique session token that holds state between your app and the user's client. You later match this unique session token with the authentication response returned by the Google OAuth Login service to verify that the user is making the request and not a malicious attacker. These tokens are often referred to as cross-site request forgery (<a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery" class="external">CSRF</a>) tokens.</p> <p>One good choice for a state token is a string of 30 or so characters constructed using a high-quality random-number generator. Another is a hash generated by signing some of your session state variables with a key that is kept secret on your back-end.</p> <p>The following code demonstrates generating unique session tokens.</p> <div class="ds-selector-tabs"> <section> <h3 id="php" data-text="PHP" tabindex="-1">PHP</h3> <p>You must download the <a href="https://github.com/googleapis/google-api-php-client" class="external">Google APIs client library for PHP</a> to use this sample.</p> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="PHP"><span class="devsite-syntax-x">// Create a state token to prevent request forgery.</span> <span class="devsite-syntax-x">// Store it in the session for later validation.</span> <span class="devsite-syntax-x">$state = bin2hex(random_bytes(128/8));</span> <span class="devsite-syntax-x">$app['session']->set('state', $state);</span> <span class="devsite-syntax-x">// Set the client ID, token state, and application name in the HTML while</span> <span class="devsite-syntax-x">// serving it.</span> <span class="devsite-syntax-x">return $app['twig']->render('index.html', array(</span> <span class="devsite-syntax-x"> 'CLIENT_ID' => CLIENT_ID,</span> <span class="devsite-syntax-x"> 'STATE' => $state,</span> <span class="devsite-syntax-x"> 'APPLICATION_NAME' => APPLICATION_NAME</span> <span class="devsite-syntax-x">));</span></pre></devsite-code> </section> <section> <h3 id="java" data-text="Java" tabindex="-1">Java</h3> <p>You must download the <a href="https://github.com/googleapis/google-api-java-client" class="external">Google APIs client library for Java</a> to use this sample.</p> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Java"><span class="devsite-syntax-c1">// Create a state token to prevent request forgery.</span> <span class="devsite-syntax-c1">// Store it in the session for later validation.</span> <span class="devsite-syntax-n">String</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">state</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-o">=</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-k">new</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">BigInteger</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-mi">130</span><span class="devsite-syntax-p">,</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-k">new</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">SecureRandom</span><span class="devsite-syntax-p">()).</span><span class="devsite-syntax-na">toString</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-mi">32</span><span class="devsite-syntax-p">);</span> <span class="devsite-syntax-n">request</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">session</span><span class="devsite-syntax-p">().</span><span class="devsite-syntax-na">attribute</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s">"state"</span><span class="devsite-syntax-p">,</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">state</span><span class="devsite-syntax-p">);</span> <span class="devsite-syntax-c1">// Read index.html into memory, and set the client ID,</span> <span class="devsite-syntax-c1">// token state, and application name in the HTML before serving it.</span> <span class="devsite-syntax-k">return</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-k">new</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">Scanner</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-k">new</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">File</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s">"index.html"</span><span class="devsite-syntax-p">),</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s">"UTF-8"</span><span class="devsite-syntax-p">)</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">useDelimiter</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s">"\\A"</span><span class="devsite-syntax-p">).</span><span class="devsite-syntax-na">next</span><span class="devsite-syntax-p">()</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">replaceAll</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s">"[{]{2}\\s*CLIENT_ID\\s*[}]{2}"</span><span class="devsite-syntax-p">,</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">CLIENT_ID</span><span class="devsite-syntax-p">)</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">replaceAll</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s">"[{]{2}\\s*STATE\\s*[}]{2}"</span><span class="devsite-syntax-p">,</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">state</span><span class="devsite-syntax-p">)</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">replaceAll</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s">"[{]{2}\\s*APPLICATION_NAME\\s*[}]{2}"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">APPLICATION_NAME</span><span class="devsite-syntax-p">);</span></pre></devsite-code> </section> <section> <h3 id="python" data-text="Python" tabindex="-1">Python</h3> <p>You must download the <a href="https://github.com/googleapis/google-api-python-client" class="external">Google APIs client library for Python</a> to use this sample.</p> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Python"><span class="devsite-syntax-c1"># Create a state token to prevent request forgery.</span> <span class="devsite-syntax-c1"># Store it in the session for later validation.</span> <span class="devsite-syntax-n">state</span> <span class="devsite-syntax-o">=</span> <span class="devsite-syntax-n">hashlib</span><span class="devsite-syntax-o">.</span><span class="devsite-syntax-n">sha256</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-n">os</span><span class="devsite-syntax-o">.</span><span class="devsite-syntax-n">urandom</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-mi">1024</span><span class="devsite-syntax-p">))</span><span class="devsite-syntax-o">.</span><span class="devsite-syntax-n">hexdigest</span><span class="devsite-syntax-p">()</span> <span class="devsite-syntax-n">session</span><span class="devsite-syntax-p">[</span><span class="devsite-syntax-s1">'state'</span><span class="devsite-syntax-p">]</span> <span class="devsite-syntax-o">=</span> <span class="devsite-syntax-n">state</span> <span class="devsite-syntax-c1"># Set the client ID, token state, and application name in the HTML while</span> <span class="devsite-syntax-c1"># serving it.</span> <span class="devsite-syntax-n">response</span> <span class="devsite-syntax-o">=</span> <span class="devsite-syntax-n">make_response</span><span class="devsite-syntax-p">(</span> <span class="devsite-syntax-n">render_template</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s1">'index.html'</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-n">CLIENT_ID</span><span class="devsite-syntax-o">=</span><span class="devsite-syntax-n">CLIENT_ID</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-n">STATE</span><span class="devsite-syntax-o">=</span><span class="devsite-syntax-n">state</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-n">APPLICATION_NAME</span><span class="devsite-syntax-o">=</span><span class="devsite-syntax-n">APPLICATION_NAME</span><span class="devsite-syntax-p">))</span></pre></devsite-code> </section> </div> <h4 id="sendauthrequest" data-text="2. Send an authentication request to Google" tabindex="-1">2. Send an authentication request to Google</h4> <p>The next step is forming an HTTPS <code translate="no" dir="ltr">GET</code> request with the appropriate URI parameters. Note the use of HTTPS rather than HTTP in all the steps of this process; HTTP connections are refused. You should retrieve the base URI from the <a href="#discovery">Discovery document</a> using the <code translate="no" dir="ltr">authorization_endpoint</code> metadata value. The following discussion assumes the base URI is <code translate="no" dir="ltr">https://accounts.google.com/o/oauth2/v2/auth</code>.</p> <p>For a basic request, specify the following parameters:</p> <ul> <li><code translate="no" dir="ltr">client_id</code>, which you obtain from the API Console <a href="https://console.developers.google.com/apis/credentials">Credentials page</a> .</li> <li><code translate="no" dir="ltr">response_type</code>, which in a basic authorization code flow request should be <code translate="no" dir="ltr">code</code>. (Read more at <a href="#response-type"><code translate="no" dir="ltr">response_type</code></a>.)</li> <li><code translate="no" dir="ltr">scope</code>, which in a basic request should be <code translate="no" dir="ltr">openid email</code>. (Read more at <a href="#scope-param"><code translate="no" dir="ltr">scope</code></a>.)</li> <li><code translate="no" dir="ltr">redirect_uri</code> should be the HTTP endpoint on your server that will receive the response from Google. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client, which you configured in the API Console Credentials page. If this value doesn't match an authorized URI, the request will fail with a <code translate="no" dir="ltr">redirect_uri_mismatch</code> error.</li> <li><code translate="no" dir="ltr">state</code> should include the value of the anti-forgery unique session token, as well as any other information needed to recover the context when the user returns to your application, e.g., the starting URL. (Read more at <a href="#state-param"><code translate="no" dir="ltr">state</code></a>.)</li> <li><code translate="no" dir="ltr">nonce</code> is a random value generated by your app that enables replay protection when present.</li> <li><code translate="no" dir="ltr">login_hint</code> can be the user's email address or the <code translate="no" dir="ltr">sub</code> string, which is equivalent to the user's Google ID. If you do not provide a <code translate="no" dir="ltr">login_hint</code> and the user is currently logged in, the consent screen includes a request for approval to release the user's email address to your app. (Read more at <a href="#login-hint"><code translate="no" dir="ltr">login_hint</code></a>.)</li> <li>Use the <code translate="no" dir="ltr">hd</code> parameter to optimize the OpenID Connect flow for users of a particular domain associated with a Google Workspace or Cloud organization (read more at <a href="#hd-param"><code translate="no" dir="ltr">hd</code></a>).</li> </ul> <aside class="note"><b>Note:</b> Only the most commonly used parameters are listed above. For a complete list, plus more details about all the parameters, see <a href="#authenticationuriparameters">Authentication URI parameters</a>.</aside> <p>Here is an example of a complete OpenID Connect authentication URI, with line breaks and spaces for readability:</p> <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> https://accounts.google.com/o/oauth2/v2/auth? response_type=code& client_id=<var translate="no">424911365001.apps.googleusercontent.com</var>& scope=openid<var translate="no">%20email</var>& redirect_uri=<var translate="no">https%3A//oauth2.example.com/code</var>& state=<var translate="no">security_token%3D138r5719ru3e1%26url%3Dhttps%3A%2F%2Foauth2-login-demo.example.com%2FmyHome</var>& login_hint=<var translate="no">jsmith@example.com</var>& nonce=<var translate="no">0394852-3190485-2490358</var>& hd=<var translate="no">example.com</var></pre></devsite-code> <p>Users are required to give consent if your app requests any new information about them, or if your app requests account access that they have not previously approved.</p> <h4 id="confirmxsrftoken" data-text="3. Confirm anti-forgery state token" tabindex="-1">3. Confirm anti-forgery state token</h4> <p>The response is sent to the <code translate="no" dir="ltr">redirect_uri</code> that you specified in the <a href="#sendauthrequest">request</a>. All responses are returned in the query string, as shown below:</p> <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> https://oauth2.example.com/code?state=<var translate="no">security_token%3D138r5719ru3e1%26url%3Dhttps%3A%2F%2Foa2cb.example.com%2FmyHome</var>&code=<var translate="no">4/P7q7W91a-oMsCeLvIaQm6bTrgtp7</var>&scope=openid%20email%20https://www.googleapis.com/auth/userinfo.email</pre></devsite-code> <p>On the server, you must confirm that the <code translate="no" dir="ltr">state</code> received from Google matches the session token you created in <a href="#createxsrftoken">Step 1</a>. This round-trip verification helps to ensure that the user, not a malicious script, is making the request.</p> <p>The following code demonstrates confirming the session tokens that you created in Step 1:</p> <div class="ds-selector-tabs"> <section> <h3 id="php_1" data-text="PHP" tabindex="-1">PHP</h3> <p>You must download the <a href="https://github.com/googleapis/google-api-php-client" class="external">Google APIs client library for PHP</a> to use this sample.</p> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="PHP"><span class="devsite-syntax-x">// Ensure that there is no request forgery going on, and that the user</span> <span class="devsite-syntax-x">// sending us this connect request is the user that was supposed to.</span> <span class="devsite-syntax-x">if ($request->get('state') != ($app['session']->get('state'))) {</span> <span class="devsite-syntax-x"> return new Response('Invalid state parameter', 401);</span> <span class="devsite-syntax-x">}</span></pre></devsite-code> </section> <section> <h3 id="java_1" data-text="Java" tabindex="-1">Java</h3> <p>You must download the <a href="https://github.com/googleapis/google-api-java-client" class="external">Google APIs client library for Java</a> to use this sample.</p> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Java"><span class="devsite-syntax-c1">// Ensure that there is no request forgery going on, and that the user</span> <span class="devsite-syntax-c1">// sending us this connect request is the user that was supposed to.</span> <span class="devsite-syntax-k">if</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-o">!</span><span class="devsite-syntax-n">request</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">queryParams</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s">"state"</span><span class="devsite-syntax-p">).</span><span class="devsite-syntax-na">equals</span><span class="devsite-syntax-p">(</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">request</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">session</span><span class="devsite-syntax-p">().</span><span class="devsite-syntax-na">attribute</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s">"state"</span><span class="devsite-syntax-p">)))</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">{</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">response</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">status</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-mi">401</span><span class="devsite-syntax-p">);</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-k">return</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">GSON</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">toJson</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s">"Invalid state parameter."</span><span class="devsite-syntax-p">);</span> <span class="devsite-syntax-p">}</span></pre></devsite-code> </section> <section> <h3 id="python_1" data-text="Python" tabindex="-1">Python</h3> <p>You must download the <a href="https://github.com/googleapis/google-api-python-client" class="external">Google APIs client library for Python</a> to use this sample.</p> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Python"><span class="devsite-syntax-c1"># Ensure that the request is not a forgery and that the user sending</span> <span class="devsite-syntax-c1"># this connect request is the expected user.</span> <span class="devsite-syntax-k">if</span> <span class="devsite-syntax-n">request</span><span class="devsite-syntax-o">.</span><span class="devsite-syntax-n">args</span><span class="devsite-syntax-o">.</span><span class="devsite-syntax-n">get</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s1">'state'</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-s1">''</span><span class="devsite-syntax-p">)</span> <span class="devsite-syntax-o">!=</span> <span class="devsite-syntax-n">session</span><span class="devsite-syntax-p">[</span><span class="devsite-syntax-s1">'state'</span><span class="devsite-syntax-p">]:</span> <span class="devsite-syntax-n">response</span> <span class="devsite-syntax-o">=</span> <span class="devsite-syntax-n">make_response</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-n">json</span><span class="devsite-syntax-o">.</span><span class="devsite-syntax-n">dumps</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s1">'Invalid state parameter.'</span><span class="devsite-syntax-p">),</span> <span class="devsite-syntax-mi">401</span><span class="devsite-syntax-p">)</span> <span class="devsite-syntax-n">response</span><span class="devsite-syntax-o">.</span><span class="devsite-syntax-n">headers</span><span class="devsite-syntax-p">[</span><span class="devsite-syntax-s1">'Content-Type'</span><span class="devsite-syntax-p">]</span> <span class="devsite-syntax-o">=</span> <span class="devsite-syntax-s1">'application/json'</span> <span class="devsite-syntax-k">return</span> <span class="devsite-syntax-n">response</span></pre></devsite-code> </section> </div> <h4 id="exchangecode" data-text="4. Exchange code for access token and ID token" tabindex="-1">4. Exchange <code translate="no" dir="ltr">code</code> for access token and ID token</h4> <p>The response includes a <code translate="no" dir="ltr">code</code> parameter, a one-time authorization code that your server can exchange for an access token and ID token. Your server makes this exchange by sending an HTTPS <code translate="no" dir="ltr">POST</code> request. The <code translate="no" dir="ltr">POST</code> request is sent to the token endpoint, which you should retrieve from the <a href="#discovery">Discovery document</a> using the <code translate="no" dir="ltr">token_endpoint</code> metadata value. The following discussion assumes the endpoint is <code translate="no" dir="ltr">https://oauth2.googleapis.com/token</code>. The request must include the following parameters in the <code translate="no" dir="ltr">POST</code> body:</p> <table class="responsive"> <thead> <tr> <th colspan="2">Fields</th> </tr> </thead> <tbody> <tr> <td><code translate="no" dir="ltr">code</code></td> <td>The authorization code that is returned from <a href="#sendauthrequest">the initial request</a>.</td> </tr> <tr> <td><code translate="no" dir="ltr">client_id</code></td> <td>The client ID that you obtain from the API Console <a href="https://console.developers.google.com/apis/credentials">Credentials page</a>, as described in <a href="#getcredentials">Obtain OAuth 2.0 credentials</a>.</td> </tr> <tr> <td><code translate="no" dir="ltr">client_secret</code></td> <td>The client secret that you obtain from the API Console <a href="https://console.developers.google.com/apis/credentials">Credentials page</a>, as described in <a href="#getcredentials">Obtain OAuth 2.0 credentials</a>.</td> </tr> <tr> <td><code translate="no" dir="ltr">redirect_uri</code></td> <td>An authorized redirect URI for the given <code translate="no" dir="ltr">client_id</code> specified in the API Console <a href="https://console.developers.google.com/apis/credentials">Credentials page</a>, as described in <a href="#setredirecturi">Set a redirect URI</a>.</td> </tr> <tr> <td><code translate="no" dir="ltr">grant_type</code></td> <td>This field must contain a value of <code translate="no" dir="ltr">authorization_code</code>, <a href="https://tools.ietf.org/html/rfc6749#section-4.1.3" class="external"> as defined in the OAuth 2.0 specification</a>.</td> </tr> </tbody> </table> <p>The actual request might look like the following example:</p> <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> POST /token HTTP/1.1 Host: oauth2.googleapis.com Content-Type: application/x-www-form-urlencoded code=<var translate="no">4/P7q7W91a-oMsCeLvIaQm6bTrgtp7</var>& client_id=<var translate="no">your-client-id</var>& client_secret=<var translate="no">your-client-secret</var>& redirect_uri=<var translate="no">https%3A//oauth2.example.com/code</var>& grant_type=authorization_code</pre></devsite-code> <p>A successful response to this request contains the following fields in a JSON array:</p> <table class="responsive"> <thead> <tr> <th colspan="2">Fields</th> </tr> </thead> <tbody> <tr> <td><code translate="no" dir="ltr">access_token</code></td> <td>A token that can be sent to a Google API.</td> </tr> <tr> <td><code translate="no" dir="ltr">expires_in</code></td> <td>The remaining lifetime of the access token in seconds.</td> </tr> <tr> <td><code translate="no" dir="ltr">id_token</code></td> <td>A <a href="https://tools.ietf.org/html/rfc7519" class="external">JWT</a> that contains identity information about the user that is digitally signed by Google.</td> </tr> <tr> <td><code translate="no" dir="ltr">scope</code></td> <td>The scopes of access granted by the <code translate="no" dir="ltr">access_token</code> expressed as a list of space-delimited, case-sensitive strings.</td> </tr> <tr> <td><code translate="no" dir="ltr">token_type</code></td> <td>Identifies the type of token returned. At this time, this field always has the value <a href="https://tools.ietf.org/html/rfc6750" class="external"><code translate="no" dir="ltr">Bearer</code></a>. </td> </tr> <tr> <td><code translate="no" dir="ltr">refresh_token</code></td> <td>(optional) <p>This field is only present if the <a href="#access-type-param"><code translate="no" dir="ltr">access_type</code></a> parameter was set to <code translate="no" dir="ltr">offline</code> in the <a href="#sendauthrequest">authentication request</a>. For details, see <a href="#refresh-tokens">Refresh tokens</a>.</p></td> </tr> </tbody> </table> <aside class="note"><b>Note:</b> There is a limit to the number of tokens per Google user account, and any authentication request above this limit might quietly invalidate an outstanding refresh token. For details, see <a href="/identity/protocols/oauth2#expiration">Token expiration</a>.</aside> <h4 id="obtainuserinfo" data-text="5. Obtain user information from the ID token" tabindex="-1">5. Obtain user information from the ID token</h4> <p>An ID Token is a <a href="https://tools.ietf.org/html/rfc7519" class="external">JWT</a> (JSON Web Token), that is, a cryptographically signed Base64-encoded JSON object. Normally, it is critical that you <a href="#validatinganidtoken">validate an ID token</a> before you use it, but since you are communicating directly with Google over an intermediary-free HTTPS channel and using your client secret to authenticate yourself to Google, you can be confident that the token you receive really comes from Google and is valid. If your server passes the ID token to other components of your app, it is extremely important that the other components <a href="#validatinganidtoken">validate the token</a> before using it.</p> <p>Since most API libraries combine the validation with the work of decoding the base64url-encoded values and parsing the JSON within, you will probably end up validating the token anyway as you access the claims in the ID token.</p> <h5 id="an-id-tokens-payload" data-text="An ID token's payload" tabindex="-1">An ID token's payload</h5> <p>An ID token is a JSON object containing a set of name/value pairs. Here's an example, formatted for readability:</p> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JavaScript"><span class="devsite-syntax-p">{</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"iss"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"https://accounts.google.com"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"azp"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"1234987819200.apps.googleusercontent.com"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"aud"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"1234987819200.apps.googleusercontent.com"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"sub"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"10769150350006150715113082367"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"at_hash"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"HK6E_P6Dh8Y93mRNtsDB1Q"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"hd"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"example.com"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"email"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"jsmith@example.com"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"email_verified"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"true"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"iat"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-mf">1353601026</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"exp"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-mf">1353604926</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"nonce"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"0394852-3190485-2490358"</span> <span class="devsite-syntax-p">}</span></pre></devsite-code> <p>Google ID Tokens may contain the following fields (known as <i>claims</i>):</p> <table> <thead> <tr> <th>Claim</th> <th>Provided</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code translate="no" dir="ltr">aud</code></td> <td>always</td> <td>The audience that this ID token is intended for. It must be one of the OAuth 2.0 client IDs of your application.</td> </tr> <tr> <td><code translate="no" dir="ltr">exp</code></td> <td>always</td> <td>Expiration time on or after which the ID token must not be accepted. Represented in Unix time (integer seconds).</td> </tr> <tr> <td><code translate="no" dir="ltr">iat</code></td> <td>always</td> <td>The time the ID token was issued. Represented in Unix time (integer seconds).</td> </tr> <tr> <td><code translate="no" dir="ltr">iss</code></td> <td>always</td> <td>The Issuer Identifier for the Issuer of the response. Always <code translate="no" dir="ltr">https://accounts.google.com</code> or <code translate="no" dir="ltr">accounts.google.com</code> for Google ID tokens.</td> </tr> <tr> <td><code translate="no" dir="ltr">sub</code></td> <td>always</td> <td>An identifier for the user, unique among all Google accounts and never reused. A Google account can have multiple email addresses at different points in time, but the <code translate="no" dir="ltr">sub</code> value is never changed. Use <code translate="no" dir="ltr">sub</code> within your application as the unique-identifier key for the user. Maximum length of 255 case-sensitive ASCII characters.</td> </tr> <tr> <td><code translate="no" dir="ltr">at_hash</code></td> <td></td> <td>Access token hash. Provides validation that the access token is tied to the identity token. If the ID token is issued with an <code translate="no" dir="ltr">access_token</code> value in the server flow, this claim is always included. This claim can be used as an alternate mechanism to protect against cross-site request forgery attacks, but if you follow <a href="#createxsrftoken">Step 1</a> and <a href="#confirmxsrftoken">Step 3</a> it is not necessary to verify the access token.</td> </tr> <tr> <td><code translate="no" dir="ltr">azp</code></td> <td></td> <td>The <code translate="no" dir="ltr">client_id</code> of the authorized presenter. This claim is only needed when the party requesting the ID token is not the same as the audience of the ID token. This may be the case at Google for hybrid apps where a web application and Android app have a different OAuth 2.0 <code translate="no" dir="ltr">client_id</code> but share the same Google APIs project.</td> </tr> <tr> <td><code translate="no" dir="ltr">email</code></td> <td></td> <td>The user's email address. Provided only if you included the <code translate="no" dir="ltr">email</code> scope in your request. The value of this claim may not be unique to this account and could change over time, therefore you should not use this value as the primary identifier to link to your user record. You also can't rely on the domain of the <code translate="no" dir="ltr">email</code> claim to identify users of Google Workspace or Cloud organizations; use the <code translate="no" dir="ltr">hd</code> claim instead.</td> </tr> <tr> <td><code translate="no" dir="ltr">email_verified</code></td> <td></td> <td>True if the user's e-mail address has been verified; otherwise false.</td> </tr> <tr> <td><code translate="no" dir="ltr">family_name</code></td> <td></td> <td>The user's surname(s) or last name(s). Might be provided when a <a href="#id_token-name"><code translate="no" dir="ltr">name</code></a> claim is present.</td> </tr> <tr> <td><code translate="no" dir="ltr">given_name</code></td> <td></td> <td>The user's given name(s) or first name(s). Might be provided when a <a href="#id_token-name"><code translate="no" dir="ltr">name</code></a> claim is present.</td> </tr> <tr id="id_token-hd"> <td><code translate="no" dir="ltr">hd</code></td> <td></td> <td>The domain associated with the Google Workspace or Cloud organization of the user. Provided only if the user belongs to a Google Cloud organization. You must check this claim when restricting access to a resource to only members of certain domains. The absence of this claim indicates that the account does not belong to a Google hosted domain.</td> </tr> <tr> <td><code translate="no" dir="ltr">locale</code></td> <td></td> <td>The user's locale, represented by a <a href="https://tools.ietf.org/html/bcp47" class="external">BCP 47</a> language tag. Might be provided when a <a href="#id_token-name"><code translate="no" dir="ltr">name</code></a> claim is present.</td> </tr> <tr id="id_token-name"> <td><code translate="no" dir="ltr">name</code></td> <td></td> <td>The user's full name, in a displayable form. Might be provided when: <ul> <li>The request scope included the string "profile"</li> <li>The ID token is returned from a token refresh</li> </ul> <p>When <code translate="no" dir="ltr">name</code> claims are present, you can use them to update your app's user records. Note that this claim is never guaranteed to be present.</p></td> </tr> <tr id="id_token-nonce"> <td><code translate="no" dir="ltr">nonce</code></td> <td></td> <td>The value of the <code translate="no" dir="ltr">nonce</code> supplied by your app in the authentication request. You should enforce protection against replay attacks by ensuring it is presented only once.</td> </tr> <tr> <td><code translate="no" dir="ltr">picture</code></td> <td></td> <td>The URL of the user's profile picture. Might be provided when: <ul> <li>The request scope included the string "profile"</li> <li>The ID token is returned from a token refresh</li> </ul> <p>When <code translate="no" dir="ltr">picture</code> claims are present, you can use them to update your app's user records. Note that this claim is never guaranteed to be present.</p></td> </tr> <tr> <td><code translate="no" dir="ltr">profile</code></td> <td></td> <td>The URL of the user's profile page. Might be provided when: <ul> <li>The request scope included the string "profile"</li> <li>The ID token is returned from a token refresh</li> </ul> <p>When <code translate="no" dir="ltr">profile</code> claims are present, you can use them to update your app's user records. Note that this claim is never guaranteed to be present.</p></td> </tr> </tbody> </table> <h4 id="authuser" data-text="6. Authenticate the user" tabindex="-1">6. Authenticate the user</h4> <p>After obtaining user information from the ID token, you should query your app's user database. If the user already exists in your database, you should start an application session for that user if all login requirements are met by the Google API response.</p> <p>If the user does not exist in your user database, you should redirect the user to your new-user sign-up flow. You may be able to auto-register the user based on the information you receive from Google, or at the very least you may be able to pre-populate many of the fields that you require on your registration form. In addition to the information in the ID token, you can get additional <a href="#obtaininguserprofileinformation">user profile information</a> at our user profile endpoints.</p> </section> <section> <h2 id="advancedtopics" data-text="Advanced topics" tabindex="-1">Advanced topics</h2> <p>The following sections describe the Google OAuth 2.0 API in greater detail. This information is intended for developers with advanced requirements around authentication and authorization.</p> <h3 id="offlineaccess" data-text="Access to other Google APIs" tabindex="-1">Access to other Google APIs</h3> <p>One of the advantages of using OAuth 2.0 for authentication is that your application can get permission to use other Google APIs on behalf of the user (such as YouTube, Google Drive, Calendar, or Contacts) at the same time as you authenticate the user. To do this, include the other scopes that you need in the <a href="#sendauthrequest">authentication request</a> that you send to Google. For example, to add user's age group to your authentication request, pass a scope parameter of <code translate="no" dir="ltr">openid email https://www.googleapis.com/auth/profile.agerange.read</code>. The user is prompted appropriately on the <a href="#consentpageexperience">consent screen</a>. The access token that you receive back from Google allows you to access all the APIs related to the scopes of access you requested and were granted.</p> <aside class="note"><b>Note:</b> If your application is asking for many scopes, the consent screen contains many lines of text. The more scopes your application requests, the less likely it is that the user will consent, so your application should ask only for the scopes it needs.</aside> <h3 id="refresh-tokens" data-text="Refresh tokens" tabindex="-1">Refresh tokens</h3> <p>In your request for API access you can request a refresh token to be returned during the <a href="#exchangecode"><code translate="no" dir="ltr">code</code> exchange</a>. A refresh token provides your app continuous access to Google APIs while the user is not present in your application. To request a refresh token, add set the <a href="#access-type-param"><code translate="no" dir="ltr">access_type</code></a> parameter to <code translate="no" dir="ltr">offline</code> in your <a href="#sendauthrequest">authentication request</a>.</p> <p>Considerations:</p> <ul> <li>Be sure to store the refresh token safely and permanently, because you can only obtain a refresh token the first time that you perform the code exchange flow.</li> <li>There are limits on the number of refresh tokens that are issued: one limit per client/user combination, and another per user across all clients. If your application requests too many refresh tokens, it may run into these limits, in which case older refresh tokens stop working.</li> </ul> <p>For more information, see <a href="/identity/protocols/oauth2/web-server#offline">Refreshing an access token (offline access)</a>.</p> <h3 id="re-consent" data-text="Prompting re-consent" tabindex="-1">Prompting re-consent</h3> <p>You can prompt the user to re-authorize your app by setting the <a href="#prompt"><code translate="no" dir="ltr">prompt</code></a> parameter to <code translate="no" dir="ltr">consent</code> in your <a href="#sendauthrequest">authentication request</a>. When <code translate="no" dir="ltr">prompt=consent</code> is included, the consent screen is displayed every time your app requests authorization of scopes of access, even if all scopes were previously granted to your Google APIs project. For this reason, include <code translate="no" dir="ltr">prompt=consent</code> only when necessary.</p> <p>For more about the <code translate="no" dir="ltr">prompt</code> parameter, see <a href="#prompt"><code translate="no" dir="ltr">prompt</code></a> in the <a href="#authenticationuriparameters">Authentication URI parameters</a> table.</p> <h3 id="authenticationuriparameters" data-text="Authentication URI parameters" tabindex="-1">Authentication URI parameters</h3> <p>The following table gives more complete descriptions of the parameters accepted by Google's OAuth 2.0 authentication API.</p> <table> <thead> <tr> <th>Parameter</th> <th>Required</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code translate="no" dir="ltr">client_id</code></td> <td>(Required)</td> <td>The client ID string that you obtain from the API Console <a href="https://console.developers.google.com/apis/credentials">Credentials page</a>, as described in <a href="#getcredentials">Obtain OAuth 2.0 credentials</a>.</td> </tr> <tr id="nonce-param"> <td><code translate="no" dir="ltr">nonce</code></td> <td>(Required)</td> <td>A random value generated by your app that enables replay protection.</td> </tr> <tr id="response-type"> <td><code translate="no" dir="ltr">response_type</code></td> <td>(Required)</td> <td>If the value is <code translate="no" dir="ltr">code</code>, launches a <a href="https://openid.net/specs/openid-connect-basic-1_0.html" class="external">Basic authorization code flow</a>, requiring a <code translate="no" dir="ltr">POST</code> to the token endpoint to obtain the tokens. If the value is <code translate="no" dir="ltr">token id_token</code> or <code translate="no" dir="ltr">id_token token</code>, launches an <a href="https://openid.net/specs/openid-connect-implicit-1_0.html" class="external">Implicit flow</a>, requiring the use of JavaScript at the redirect URI to retrieve tokens from the <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Identifying_resources_on_the_Web#Fragment" class="external">URI <code translate="no" dir="ltr">#fragment</code> identifier</a>.</td> </tr> <tr id="redirect"> <td><code translate="no" dir="ltr">redirect_uri</code></td> <td>(Required)</td> <td>Determines where the response is sent. The value of this parameter must exactly match one of the authorized redirect values that you set in the API Console <a href="https://console.developers.google.com/apis/credentials">Credentials page</a> (including the HTTP or HTTPS scheme, case, and trailing '/', if any).</td> </tr> <tr id="scope-param"> <td><code translate="no" dir="ltr">scope</code></td> <td>(Required)</td> <td><p>The scope parameter must begin with the <code translate="no" dir="ltr">openid</code> value and then include the <code translate="no" dir="ltr">profile</code> value, the <code translate="no" dir="ltr">email</code> value, or both.</p> <p>If the <code translate="no" dir="ltr">profile</code> scope value is present, the ID token might (but is not guaranteed to) include the user's default <code translate="no" dir="ltr">profile</code> claims.</p> <p>If the <code translate="no" dir="ltr">email</code> scope value is present, the ID token includes <code translate="no" dir="ltr">email</code> and <code translate="no" dir="ltr">email_verified</code> claims.</p> <p>In addition to these OpenID-specific scopes, your scope argument can also include other scope values. All scope values must be space-separated. For example, if you wanted per-file access to a user's Google Drive, your scope parameter might be <code translate="no" dir="ltr">openid profile email https://www.googleapis.com/auth/drive.file</code>.</p> <p>For information about available scopes, see <a href="/identity/protocols/oauth2/scopes">OAuth 2.0 Scopes for Google APIs</a> or the documentation for the Google API you would like to use.</p></td> </tr> <tr id="state-param"> <td><code translate="no" dir="ltr">state</code></td> <td>(Optional, but strongly recommended)</td> <td><p>An opaque string that is round-tripped in the protocol; that is to say, it is returned as a URI parameter in the Basic flow, and in the URI <code translate="no" dir="ltr">#fragment</code> identifier in the Implicit flow.</p> <p>The <code translate="no" dir="ltr">state</code> can be useful for correlating requests and responses. Because your <code translate="no" dir="ltr">redirect_uri</code> can be guessed, using a <code translate="no" dir="ltr">state</code> value can increase your assurance that an incoming connection is the result of an authentication request initiated by your app. If you <a href="#createxsrftoken">generate a random string</a> or encode the hash of some client state (e.g., a cookie) in this <code translate="no" dir="ltr">state</code> variable, you can validate the response to additionally ensure that the request and response originated in the same browser. This provides protection against attacks such as cross-site request forgery.</p></td> </tr> <tr id="access-type-param"> <td><code translate="no" dir="ltr">access_type</code></td> <td>(Optional)</td> <td>The allowed values are <code translate="no" dir="ltr">offline</code> and <code translate="no" dir="ltr">online</code>. The effect is documented in <a href="/identity/protocols/oauth2/web-server#offline">Offline Access</a>; if an access token is being requested, the client does not receive a refresh token unless a value of <code translate="no" dir="ltr">offline</code> is specified.</td> </tr> <tr> <td><code translate="no" dir="ltr">display</code></td> <td>(Optional)</td> <td>An ASCII string value for specifying how the authorization server displays the authentication and consent user interface pages. The following values are specified, and accepted by the Google servers, but do not have any effect on its behavior: <code translate="no" dir="ltr">page</code>, <code translate="no" dir="ltr">popup</code>, <code translate="no" dir="ltr">touch</code>, and <code translate="no" dir="ltr">wap</code>.</td> </tr> <tr> <td id="hd-param"><code translate="no" dir="ltr">hd</code></td> <td>(Optional)</td> <td><p>Streamline the login process for accounts owned by a Google Cloud organization. By including the Google Cloud organization domain (for example, <var translate="no">mycollege.edu</var>), you can indicate that the account selection UI should be optimized for accounts at that domain. To optimize for Google Cloud organization accounts generally instead of just one Google Cloud organization domain, set a value of an asterisk (<code translate="no" dir="ltr">*</code>): <code translate="no" dir="ltr">hd=*</code>.</p> <p>Don't rely on this UI optimization to control who can access your app, as client-side requests can be modified. Be sure to <a href="#validatinganidtoken">validate</a> that the <a href="#obtainuserinfo">returned ID token</a> has an <code translate="no" dir="ltr">hd</code> claim value that matches what you expect (e.g. <var translate="no">mycolledge.edu</var>). Unlike the request parameter, the ID token <code translate="no" dir="ltr">hd</code> claim is contained within a security token from Google, so the value can be trusted.</p></td> </tr> <tr> <td><code translate="no" dir="ltr">include_granted_scopes</code></td> <td>(Optional)</td> <td>If this parameter is provided with the value <code translate="no" dir="ltr">true</code>, and the authorization request is granted, the authorization will include any previous authorizations granted to this user/application combination for other scopes; see <a href="/identity/protocols/oauth2/web-server#incrementalAuth">Incremental authorization</a>. <p>Note that you cannot do incremental authorization with the Installed App flow.</p> </td> </tr> <tr id="login-hint"> <td><code translate="no" dir="ltr">login_hint</code></td> <td>(Optional)</td> <td>When your app knows which user it is trying to authenticate, it can provide this parameter as a hint to the authentication server. Passing this hint suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session (if the user is using <a href="https://support.google.com/accounts/answer/1721977" class="external">multiple sign-in</a>), which can help you avoid problems that occur if your app logs in the wrong user account. The value can be either an email address or the <code translate="no" dir="ltr">sub</code> string, which is equivalent to the user's Google ID.</td> </tr> <tr id="prompt"> <td><code translate="no" dir="ltr">prompt</code></td> <td>(Optional)</td> <td>A space-delimited list of string values that specifies whether the authorization server prompts the user for reauthentication and consent. The possible values are: <ul> <li><code translate="no" dir="ltr">none</code> <p>The authorization server does not display any authentication or user consent screens; it will return an error if the user is not already authenticated and has not pre-configured consent for the requested scopes. You can use <code translate="no" dir="ltr">none</code> to check for existing authentication and/or consent.</p></li> <li><code translate="no" dir="ltr">consent</code> <p>The authorization server prompts the user for consent before returning information to the client.</p></li> <li><code translate="no" dir="ltr">select_account</code> <p>The authorization server prompts the user to select a user account. This allows a user who has multiple accounts at the authorization server to select amongst the multiple accounts that they may have current sessions for.</p></li> </ul> <p>If no value is specified and the user has not previously authorized access, then the user is shown a consent screen.</p></td> </tr> </tbody> </table> <h3 id="validatinganidtoken" data-text="Validating an ID token" tabindex="-1">Validating an ID token</h3> <p>You need to validate all ID tokens on your server unless you know that they came directly from Google. For example, your server must verify as authentic any ID tokens it receives from your client apps.</p> <p>The following are common situations where you might send ID tokens to your server:</p> <ul> <li>Sending ID tokens with requests that need to be authenticated. The ID tokens tell you the particular user making the request and for which client that ID token was granted.</li> </ul> <p>ID tokens are sensitive and can be misused if intercepted. You must ensure that these tokens are handled securely by transmitting them only over HTTPS and only via POST data or within request headers. If you store ID tokens on your server, you must also store them securely.</p> <p>One thing that makes ID tokens useful is that fact that you can pass them around different components of your app. These components can use an ID token as a lightweight authentication mechanism authenticating the app and the user. But before you can use the information in the ID token or rely on it as an assertion that the user has authenticated, you <strong>must</strong> validate it.</p> <p>Validation of an ID token requires several steps:</p> <ol> <li>Verify that the ID token is properly signed by the issuer. Google-issued tokens are signed using one of the certificates found at the URI specified in the <code translate="no" dir="ltr">jwks_uri</code> metadata value of the <a href="#discovery">Discovery document</a>.</li> <li>Verify that the value of the <code translate="no" dir="ltr">iss</code> claim in the ID token is equal to <code translate="no" dir="ltr">https://accounts.google.com</code> or <code translate="no" dir="ltr">accounts.google.com</code>.</li> <li>Verify that the value of the <code translate="no" dir="ltr">aud</code> claim in the ID token is equal to your app's client ID.</li> <li>Verify that the expiry time (<code translate="no" dir="ltr">exp</code> claim) of the ID token has not passed.</li> <li>If you specified a <a href="#hd-param">hd parameter</a> value in the request, verify that the ID token has a <code translate="no" dir="ltr">hd</code> claim that matches an accepted domain associated with a Google Cloud organization.</li> </ol> <p>Steps 2 to 5 involve only string and date comparisons which are quite straightforward, so we won't detail them here.</p> <p>The first step is more complex, and involves cryptographic signature checking. For <em>debugging</em> purposes, you can use Google's <code translate="no" dir="ltr">tokeninfo</code> endpoint to compare against local processing implemented on your server or device. Suppose your ID token's value is <code translate="no" dir="ltr">XYZ123</code>. Then you would dereference the URI <code translate="no" dir="ltr">https://oauth2.googleapis.com/tokeninfo?id_token=<var translate="no">XYZ123</var></code>. If the token signature is valid, the response would be the JWT payload in its decoded JSON object form.</p> <p>The <code translate="no" dir="ltr">tokeninfo</code> endpoint is useful for debugging but for production purposes, retrieve Google's public keys from the keys endpoint and perform the validation locally. You should retrieve the keys URI from the <a href="#discovery">Discovery document</a> using the <code translate="no" dir="ltr">jwks_uri</code> metadata value. Requests to the debugging endpoint may be throttled or otherwise subject to intermittent errors.</p> <p>Since Google changes its public keys only infrequently, you can cache them using the cache directives of the HTTP response and, in the vast majority of cases, perform local validation much more efficiently than by using the <code translate="no" dir="ltr">tokeninfo</code> endpoint. This validation requires retrieving and parsing certificates, and making the appropriate cryptographic calls to check the signature. Fortunately, there are well-debugged libraries available in a wide variety of languages to accomplish this (see <a href="https://jwt.io/" class="external">jwt.io</a>).</p> <h3 id="obtaininguserprofileinformation" data-text="Obtaining user profile information" tabindex="-1">Obtaining user profile information</h3> <p>To obtain additional profile information about the user, you can use the access token (which your application receives during the <a href="#authenticatingtheuser">authentication flow</a>) and the <a href="https://openid.net/specs/openid-connect-core-1_0.html" class="external">OpenID Connect</a> standard:</p> <ol> <li><p>To be OpenID-compliant, you must include the <a href="/identity/protocols/oauth2/scopes#openid_connect"><code translate="no" dir="ltr">openid profile</code></a> scope values in your <a href="#sendauthrequest">authentication request</a>.</p> <p>If you want the user's email address to be included, you can specify an additional scope value of <a href="/identity/protocols/oauth2/scopes#openid-connect"><code translate="no" dir="ltr">email</code></a>. To specify both <code translate="no" dir="ltr">profile</code> and <code translate="no" dir="ltr">email</code>, you can include the following parameter in your authentication request URI:</p> <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded>scope=openid%20profile%20email</pre></devsite-code> </li> <li>Add your access token to the authorization header and make an HTTPS <code translate="no" dir="ltr">GET</code> request to the userinfo endpoint, which you should retrieve from the <a href="#discovery">Discovery document</a> using the <code translate="no" dir="ltr">userinfo_endpoint</code> metadata value. The userinfo response includes information about the user, as described in <a href="https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" class="external"><code translate="no" dir="ltr">OpenID Connect Standard Claims</code></a> and the <code translate="no" dir="ltr">claims_supported</code> metadata value of the Discovery document. Users or their organizations may choose to supply or withhold certain fields, so you might not get information for every field for your authorized scopes of access.</li> </ol> <h2 id="discovery" data-text="The Discovery document" tabindex="-1">The Discovery document</h2> <p>The OpenID Connect protocol requires the use of multiple endpoints for authenticating users, and for requesting resources including tokens, user information, and public keys.</p> <p>To simplify implementations and increase flexibility, OpenID Connect allows the use of a "Discovery document," a JSON document found at a well-known location containing key-value pairs which provide details about the OpenID Connect provider's configuration, including the URIs of the authorization, token, revocation, userinfo, and public-keys endpoints. The Discovery document for Google's OpenID Connect service may be retrieved from:</p> <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded>https://accounts.google.com/.well-known/openid-configuration</pre></devsite-code> <p>To use Google's OpenID Connect services, you should hard-code the Discovery-document URI (<code translate="no" dir="ltr">https://accounts.google.com/.well-known/openid-configuration</code>) into your application. Your application fetches the document, applies caching rules in the response, then retrieves endpoint URIs from it as needed. For example, to authenticate a user, your code would retrieve the <code translate="no" dir="ltr">authorization_endpoint</code> metadata value (<code translate="no" dir="ltr">https://accounts.google.com/o/oauth2/v2/auth</code> in the example below) as the base URI for authentication requests that are sent to Google.</p> <p>Here is an example of such a document; the field names are those specified in <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata" class="external">OpenID Connect Discovery 1.0</a> (refer to that document for their meanings). The values are purely illustrative and might change, although they are copied from a recent version of the actual Google Discovery document:</p> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JavaScript"><span class="devsite-syntax-p">{</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"issuer"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"https://accounts.google.com"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"authorization_endpoint"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"https://accounts.google.com/o/oauth2/v2/auth"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"device_authorization_endpoint"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"https://oauth2.googleapis.com/device/code"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"token_endpoint"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"https://oauth2.googleapis.com/token"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"userinfo_endpoint"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"https://openidconnect.googleapis.com/v1/userinfo"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"revocation_endpoint"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"https://oauth2.googleapis.com/revoke"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"jwks_uri"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"https://www.googleapis.com/oauth2/v3/certs"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"response_types_supported"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">[</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"code"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"token"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"id_token"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"code token"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"code id_token"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"token id_token"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"code token id_token"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"none"</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">],</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"subject_types_supported"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">[</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"public"</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">],</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"id_token_signing_alg_values_supported"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">[</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"RS256"</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">],</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"scopes_supported"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">[</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"openid"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"email"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"profile"</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">],</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"token_endpoint_auth_methods_supported"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">[</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"client_secret_post"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"client_secret_basic"</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">],</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"claims_supported"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">[</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"aud"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"email"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"email_verified"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"exp"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"family_name"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"given_name"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"iat"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"iss"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"locale"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"name"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"picture"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"sub"</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">],</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"code_challenge_methods_supported"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">[</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"plain"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"S256"</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">]</span> <span class="devsite-syntax-p">}</span></pre></devsite-code> <p>You may be able to avoid an HTTP round-trip by caching the values from the Discovery document. Standard HTTP caching headers are used and should be respected.</p> </section> <section> <h2 id="libraries" data-text="Client libraries" tabindex="-1">Client libraries</h2> <p>The following client libraries make implementing OAuth 2.0 simpler by integrating with popular frameworks:</p> <ul> <li><a href="https://github.com/googleapis/google-api-java-client"class="external"> Google APIs Client Library for Java</a></li> <li><a href="https://github.com/googleapis/google-api-python-client" class="external"> Google APIs Client Library for Python</a></li> <li><a href="/api-client-library/dotnet/guide/aaa_oauth"> Google APIs Client Library for .NET</a></li> <li><a href="https://github.com/googleapis/google-api-ruby-client" class="external"> Google APIs Client Library for Ruby</a></li> <li><a href="https://github.com/googleapis/google-api-php-client" class="external"> Google APIs Client Library for PHP</a></li> <li><a href="https://code.google.com/archive/p/gwt-oauth2/" class="external"> OAuth 2.0 Library for Google Web Toolkit</a></li> <li><a href="https://github.com/google/gtm-oauth2" class="external"> Google Toolbox for Mac OAuth 2.0 Controllers</a></li> </ul> </section> <section> <h2 id="oidc-compliance" data-text="OpenID Connect compliance" tabindex="-1">OpenID Connect compliance</h2> <p>Google's OAuth 2.0 authentication system supports the <a href="https://openid.net/specs/openid-connect-core-1_0.html#ServerMTI" class="external">required features</a> of the <a href="https://openid.net/specs/openid-connect-core-1_0.html" class="external">OpenID Connect Core</a> specification. Any client which is designed to work with OpenID Connect should interoperate with this service (with the exception of the <a href="https://openid.net/specs/openid-connect-core-1_0.html#RequestObject" class="external">OpenID Request Object</a>).</p> </section> </div> <devsite-recommendations display="in-page" hidden yield> </devsite-recommendations> <devsite-thumb-rating position="footer"> </devsite-thumb-rating> <devsite-feedback position="footer" project-name="Authentication" product-id="5186570" bucket="Identity guides" context="External devsite feedback" version="t-devsite-webserver-20241114-r00-rc02.464922260396498922" data-label="Send Feedback Button" track-type="feedback" track-name="sendFeedbackLink" track-metadata-position="footer" class="nocontent" project-icon="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/touchicon-180-new.png" > <button> Send feedback </button> </devsite-feedback> <devsite-recommendations id="recommendations-link" yield></devsite-recommendations> <div class="devsite-floating-action-buttons"> </div> </article> <devsite-content-footer class="nocontent"> <p>Except as otherwise noted, the content of this page is licensed under the <a href="https://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 License</a>, and code samples are licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache 2.0 License</a>. For details, see the <a href="https://developers.google.com/site-policies">Google Developers Site Policies</a>. Java is a registered trademark of Oracle and/or its affiliates.</p> <p>Last updated 2024-11-13 UTC.</p> </devsite-content-footer> <devsite-notification > </devsite-notification> <div class="devsite-content-data"> <template class="devsite-thumb-rating-feedback"> <devsite-feedback position="thumb-rating" project-name="Authentication" product-id="5186570" bucket="Identity guides" context="External devsite feedback" version="t-devsite-webserver-20241114-r00-rc02.464922260396498922" data-label="Send Feedback Button" track-type="feedback" track-name="sendFeedbackLink" track-metadata-position="thumb-rating" class="nocontent" project-icon="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/touchicon-180-new.png" > <button> Need to tell us more? </button> </devsite-feedback> </template> <template class="devsite-content-data-template"> [[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-11-13 UTC."],[],[]] </template> </div> </devsite-content> </main> <devsite-footer-promos class="devsite-footer"> <nav class="devsite-footer-promos nocontent" aria-label="Promotions"> <ul class="devsite-footer-promos-list"> <li class="devsite-footer-promo"> <a href="//github.com/googlesamples/google-services" class="devsite-footer-promo-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Promo Link (index 1)" > <picture> <img class="devsite-footer-promo-icon" src="/static/site-assets/logo-github.svg" loading="lazy" alt="GitHub"> </picture> <span class="devsite-footer-promo-label"> GitHub </span> </a> <div class="devsite-footer-promo-description">Fork our samples and try them yourself</div> </li> <li class="devsite-footer-promo"> <a href="//stackoverflow.com/questions/tagged/google-signin" class="devsite-footer-promo-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Promo Link (index 2)" > <picture> <img class="devsite-footer-promo-icon" src="/static/site-assets/logo-stack-overflow.svg" loading="lazy" alt="Stack Overflow"> </picture> <span class="devsite-footer-promo-label"> Stack Overflow </span> </a> <div class="devsite-footer-promo-description">Ask a question under the google-signin tag</div> </li> <li class="devsite-footer-promo"> <a href="//googledevelopers.blogspot.com/search/label/sign-in" class="devsite-footer-promo-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Promo Link (index 3)" > <picture> <img class="devsite-footer-promo-icon" src="/static/site-assets/developers_64dp.png" loading="lazy" alt="Blog"> </picture> <span class="devsite-footer-promo-label"> Blog </span> </a> <div class="devsite-footer-promo-description">The latest news on the Google Developers blog</div> </li> <li class="devsite-footer-promo"> <a href="https://blog.chromium.org" class="devsite-footer-promo-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Promo Link (index 4)" > <picture> <img class="devsite-footer-promo-icon" src="https://www.gstatic.com/images/icons/material/product/2x/chrome_chromium_64dp.png" loading="lazy" alt="Chromium Blog"> </picture> <span class="devsite-footer-promo-label"> Chromium Blog </span> </a> <div class="devsite-footer-promo-description">The latest news on the Chromium blog.</div> </li> </ul> </nav> </devsite-footer-promos> <devsite-footer-linkboxes class="devsite-footer"> <nav class="devsite-footer-linkboxes nocontent" aria-label="Footer links"> <ul class="devsite-footer-linkboxes-list"> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Product Info</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="/terms" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" > Terms of Service </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/identity/branding-guidelines" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" > Branding Guidelines </a> </li> </ul> </li> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Help</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="//stackoverflow.com/questions/tagged/google-signin" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" > Sign In With Google </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//stackoverflow.com/questions/tagged/google-identity" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" > Google Identity </a> </li> </ul> </li> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Developer consoles</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="//console.developers.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" > Google API Console </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//console.cloud.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" > Google Cloud Platform Console </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//play.google.com/apps/publish" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 3)" > Google Play Console </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//console.firebase.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 4)" > Firebase Console </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//console.actions.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 5)" > Actions on Google Console </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//cast.google.com/publish" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 6)" > Cast SDK Developer Console </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//chrome.google.com/webstore/developer/dashboard" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 7)" > Chrome Web Store Dashboard </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//console.home.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 8)" > Google Home Developer Console </a> </li> </ul> </li> </ul> </nav> </devsite-footer-linkboxes> <devsite-footer-utility class="devsite-footer"> <div class="devsite-footer-utility nocontent"> <nav class="devsite-footer-sites" aria-label="Other Google Developers websites"> <a href="https://developers.google.com/" class="devsite-footer-sites-logo-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Google Developers Link"> <picture> <img class="devsite-footer-sites-logo" src="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/lockup-google-for-developers.svg" loading="lazy" alt="Google Developers"> </picture> </a> <ul class="devsite-footer-sites-list"> <li class="devsite-footer-sites-item"> <a href="//developer.android.com" class="devsite-footer-sites-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Android Link" > Android </a> </li> <li class="devsite-footer-sites-item"> <a href="//developer.chrome.com/home" class="devsite-footer-sites-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Chrome Link" > Chrome </a> </li> <li class="devsite-footer-sites-item"> <a href="//firebase.google.com" class="devsite-footer-sites-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Firebase Link" > Firebase </a> </li> <li class="devsite-footer-sites-item"> <a href="//cloud.google.com" class="devsite-footer-sites-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Google Cloud Platform Link" > Google Cloud Platform </a> </li> <li class="devsite-footer-sites-item"> <a href="//ai.google.dev/" class="devsite-footer-sites-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Google AI Link" > Google AI </a> </li> <li class="devsite-footer-sites-item"> <a href="/products" class="devsite-footer-sites-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer All products Link" > All products </a> </li> </ul> </nav> <nav class="devsite-footer-utility-links" aria-label="Utility links"> <ul class="devsite-footer-utility-list"> <li class="devsite-footer-utility-item "> <a class="devsite-footer-utility-link gc-analytics-event" href="/terms/site-terms" data-category="Site-Wide Custom Events" data-label="Footer Terms link" > Terms </a> </li> <li class="devsite-footer-utility-item "> <a class="devsite-footer-utility-link gc-analytics-event" href="//policies.google.com/privacy" data-category="Site-Wide Custom Events" data-label="Footer Privacy link" > Privacy </a> </li> <li class="devsite-footer-utility-item glue-cookie-notification-bar-control"> <a class="devsite-footer-utility-link gc-analytics-event" href="#" data-category="Site-Wide Custom Events" data-label="Footer Manage cookies link" aria-hidden="true" > Manage cookies </a> </li> <li class="devsite-footer-utility-item devsite-footer-utility-button"> <span class="devsite-footer-utility-description">Sign up for the Google for Developers newsletter</span> <a class="devsite-footer-utility-link gc-analytics-event" href="/newsletter/subscribe" data-category="Site-Wide Custom Events" data-label="Footer Subscribe link" > Subscribe </a> </li> </ul> <devsite-language-selector> <ul role="presentation"> <li role="presentation"> <a role="menuitem" lang="en" >English</a> </li> <li role="presentation"> <a role="menuitem" lang="de" >Deutsch</a> </li> <li role="presentation"> <a role="menuitem" lang="es" >Español</a> </li> <li role="presentation"> <a role="menuitem" lang="es_419" >Español – América Latina</a> </li> <li role="presentation"> <a role="menuitem" lang="fr" >Français</a> </li> <li role="presentation"> <a role="menuitem" lang="id" >Indonesia</a> </li> <li role="presentation"> <a role="menuitem" lang="it" >Italiano</a> </li> <li role="presentation"> <a role="menuitem" lang="pl" >Polski</a> </li> <li role="presentation"> <a role="menuitem" lang="pt_br" >Português – Brasil</a> </li> <li role="presentation"> <a role="menuitem" lang="vi" >Tiếng Việt</a> </li> <li role="presentation"> <a role="menuitem" lang="tr" >Türkçe</a> </li> <li role="presentation"> <a role="menuitem" lang="ru" >Русский</a> </li> <li role="presentation"> <a role="menuitem" lang="he" >עברית</a> </li> <li role="presentation"> <a role="menuitem" lang="ar" >العربيّة</a> </li> <li role="presentation"> <a role="menuitem" lang="fa" >فارسی</a> </li> <li role="presentation"> <a role="menuitem" lang="hi" >हिंदी</a> </li> <li role="presentation"> <a role="menuitem" lang="bn" >বাংলা</a> </li> <li role="presentation"> <a role="menuitem" lang="th" >ภาษาไทย</a> </li> <li role="presentation"> <a role="menuitem" lang="zh_cn" >中文 – 简体</a> </li> <li role="presentation"> <a role="menuitem" lang="zh_tw" >中文 – 繁體</a> </li> <li role="presentation"> <a role="menuitem" lang="ja" >日本語</a> </li> <li role="presentation"> <a role="menuitem" lang="ko" >한국어</a> </li> </ul> </devsite-language-selector> </nav> </div> </devsite-footer-utility> <devsite-panel></devsite-panel> <devsite-concierge data-info-panel data-ai-panel data-api-explorer-panel > </devsite-concierge> </section></section> <devsite-sitemask></devsite-sitemask> <devsite-snackbar></devsite-snackbar> <devsite-tooltip ></devsite-tooltip> <devsite-heading-link></devsite-heading-link> <devsite-analytics> <script type="application/json" analytics>[{"dimensions": {"dimension5": "en", "dimension3": false, "dimension4": "Authentication", "dimension11": false, "dimension1": "Signed out", "dimension6": "en"}, "gaid": "UA-24532603-1", "metrics": {"ratings_count": "metric2", "ratings_value": "metric1"}, "purpose": 1}]</script> <script type="application/json" tag-management>{"at": "True", "ga4": [{"id": "G-272J68FCRF", "purpose": 1}], "ga4p": [{"id": "G-272J68FCRF", "purpose": 1}], "gtm": [], "parameters": {"internalUser": "False", "language": {"machineTranslated": "False", "requested": "en", "served": "en"}, "pageType": "article", "projectName": "Authentication", "signedIn": "False", "tenant": "developers", "recommendations": {"sourcePage": "", "sourceType": 0, "sourceRank": 0, "sourceIdenticalDescriptions": 0, "sourceTitleWords": 0, "sourceDescriptionWords": 0, "experiment": ""}, "experiment": {"ids": ""}}}</script> </devsite-analytics> <devsite-badger></devsite-badger> <script nonce="ICGbGC3Gj2uLd2fZP5iMeKRV71R3Gf"> (function(d,e,v,s,i,t,E){d['GoogleDevelopersObject']=i; t=e.createElement(v);t.async=1;t.src=s;E=e.getElementsByTagName(v)[0]; E.parentNode.insertBefore(t,E);})(window, document, 'script', 'https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/js/app_loader.js', '[1,"en",null,"/js/devsite_app_module.js","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers","https://developers-dot-devsite-v2-prod.appspot.com",null,null,["/_pwa/developers/manifest.json","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/images/video-placeholder.svg","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/favicon-new.png","https://fonts.googleapis.com/css?family=Google+Sans:400,500|Roboto:400,400italic,500,500italic,700,700italic|Roboto+Mono:400,500,700&display=swap"],1,null,[1,6,8,12,14,17,21,25,50,52,63,70,75,76,80,87,91,92,93,97,98,100,101,102,103,104,105,107,108,109,110,112,113,117,118,120,122,124,125,126,127,129,130,131,132,133,134,135,136,138,140,141,147,148,149,151,152,156,157,158,159,161,163,164,168,169,170,179,180,182,183,186,191,193,196],"AIzaSyAP-jjEJBzmIyKR4F-3XITp8yM9T1gEEI8","AIzaSyB6xiKGDR5O3Ak2okS4rLkauxGUG7XP0hg","developers.google.com","AIzaSyAQk0fBONSGUqCNznf6Krs82Ap1-NV6J4o","AIzaSyCCxcqdrZ_7QMeLCRY20bh_SXdAYqy70KY",null,null,null,["Concierge__enable_concierge","Concierge__enable_pushui","Profiles__enable_completecodelab_endpoint","Profiles__enable_recognition_badges","MiscFeatureFlags__developers_footer_image","Experiments__reqs_query_experiments","MiscFeatureFlags__enable_view_transitions","BookNav__enable_tenant_cache_key","TpcFeatures__enable_required_headers","Analytics__enable_clearcut_logging","MiscFeatureFlags__emergency_css","EngEduTelemetry__enable_engedu_telemetry","MiscFeatureFlags__developers_footer_dark_image","Profiles__enable_awarding_url","Profiles__enable_public_developer_profiles","DevPro__enable_cloud_innovators_plus","Search__enable_suggestions_from_borg","MiscFeatureFlags__enable_variable_operator","Cloud__enable_cloud_shell","Concierge__enable_concierge_restricted","Profiles__enable_release_notes_notifications","Search__enable_page_map","Cloud__enable_legacy_calculator_redirect","Profiles__enable_developer_profiles_callout","Profiles__enable_dashboard_curated_recommendations","Profiles__enable_page_saving","Cloud__enable_cloud_shell_fte_user_flow","CloudShell__cloud_shell_button","Cloud__enable_llm_concierge_chat","Search__enable_ai_search_summaries","Cloud__enable_cloudx_experiment_ids","Search__enable_dynamic_content_confidential_banner","CloudShell__cloud_code_overflow_menu","Cloud__enable_free_trial_server_call","TpcFeatures__enable_mirror_tenant_redirects","Search__enable_ai_eligibility_checks","Profiles__enable_profile_collections","Profiles__require_profile_eligibility_for_signin","Cloud__enable_cloud_facet_chat","Cloud__enable_cloudx_ping","Significatio__enable_by_tenant","Cloud__enable_cloud_dlp_service","MiscFeatureFlags__enable_explain_this_code","MiscFeatureFlags__enable_project_variables","Search__enable_ai_search_summaries_restricted","MiscFeatureFlags__enable_firebase_utm","Profiles__enable_complete_playlist_endpoint","DevPro__enable_developer_subscriptions"],null,null,"AIzaSyBLEMok-5suZ67qRPzx0qUtbnLmyT_kCVE","https://developerscontentserving-pa.clients6.google.com","AIzaSyCM4QpTRSqP5qI4Dvjt4OAScIN8sOUlO-k","https://developerscontentsearch-pa.clients6.google.com",1,4,null,"https://developerprofiles-pa.clients6.google.com",[1,"developers","Google for Developers","developers.google.com",null,"developers-dot-devsite-v2-prod.appspot.com",null,null,[1,1,[1],null,null,null,null,null,null,null,null,[1],null,null,null,null,null,null,[1],[1,null,null,[1,20],"/recommendations/information"],null,null,null,[1,1,1],[1,1,null,1,1]],null,[null,null,null,null,null,null,"/images/lockup-new.svg","/images/touchicon-180-new.png",null,null,null,null,1,null,null,null,null,null,null,null,null,1,null,null,null,"/images/lockup-dark-theme-new.svg",[]],[],null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,[6,1,14,15,20,22,23,29,32,36],null,[[null,null,null,[3,7,10,2,39,17,4,32,24,11,12,13,34,15,25],null,null,[1,[["docType","Choose a content type",[["Tutorial",null,null,null,null,null,null,null,null,"Tutorial"],["Guide",null,null,null,null,null,null,null,null,"Guide"],["Sample",null,null,null,null,null,null,null,null,"Sample"]]],["product","Choose a product",[["Android",null,null,null,null,null,null,null,null,"Android"],["ARCore",null,null,null,null,null,null,null,null,"ARCore"],["ChromeOS",null,null,null,null,null,null,null,null,"ChromeOS"],["Firebase",null,null,null,null,null,null,null,null,"Firebase"],["Flutter",null,null,null,null,null,null,null,null,"Flutter"],["Assistant",null,null,null,null,null,null,null,null,"Google Assistant"],["GoogleCloud",null,null,null,null,null,null,null,null,"Google Cloud"],["GoogleMapsPlatform",null,null,null,null,null,null,null,null,"Google Maps Platform"],["GooglePay",null,null,null,null,null,null,null,null,"Google Pay & Google Wallet"],["GooglePlay",null,null,null,null,null,null,null,null,"Google Play"],["Tensorflow",null,null,null,null,null,null,null,null,"TensorFlow"]]],["category","Choose a topic",[["AiAndMachineLearning",null,null,null,null,null,null,null,null,"AI and Machine Learning"],["Data",null,null,null,null,null,null,null,null,"Data"],["Enterprise",null,null,null,null,null,null,null,null,"Enterprise"],["Gaming",null,null,null,null,null,null,null,null,"Gaming"],["Mobile",null,null,null,null,null,null,null,null,"Mobile"],["Web",null,null,null,null,null,null,null,null,"Web"]]]]]],[1,1],null,1],[[["UA-24532603-1"],["UA-22084204-5"],null,null,["UA-24532603-5"],null,null,[["G-272J68FCRF"],null,null,[["G-272J68FCRF",2]]],[["UA-24532603-1",2]],null,[["UA-24532603-5",2]],null,1],[[3,2],[15,12],[14,11],[12,9],[1,1],[5,4],[4,3],[13,10],[11,8],[16,13],[6,5]],[[2,2],[1,1]]],null,4,null,null,null,null,null,null,null,null,null,null,null,null,null,"developers.devsite.google"],null,"pk_live_5170syrHvgGVmSx9sBrnWtA5luvk9BwnVcvIi7HizpwauFG96WedXsuXh790rtij9AmGllqPtMLfhe2RSwD6Pn38V00uBCydV4m"]') </script> <devsite-a11y-announce></devsite-a11y-announce> </body> </html>