Sign in with Google using OAuth 2.0 and OpenID Connect.
Get credentials
Create a project
Go to Google Cloud Console and create a new project (or select an existing one).
Enable the People API
Navigate to APIs and Services > Library, search for "Google People API", and enable it. This lets KavachOS fetch the user's name and profile picture.
Create OAuth credentials
Go to APIs and Services > Credentials > Create Credentials > OAuth client ID.
- Application type: Web application
- Authorized redirect URIs:
https://auth.example.com/auth/oauth/google/callback
Copy the Client ID and Client Secret.
Configure the consent screen
Under OAuth consent screen, set the app name, support email, and authorized domain. For production, submit for verification if you need access to sensitive scopes.
Configuration
import { createKavach } from '@kavachos/core';
import { oauth } from '@kavachos/core/plugins/oauth';
const kavach = await createKavach({
database: { provider: 'postgres', url: process.env.DATABASE_URL! },
secret: process.env.KAVACH_SECRET!,
baseUrl: 'https://auth.example.com',
plugins: [
oauth({
providers: [
{
id: 'google',
clientId: process.env.GOOGLE_CLIENT_ID!,
clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
},
],
}),
],
});Add to your environment:
GOOGLE_CLIENT_ID=...apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-...Scopes
Default scopes: openid email profile
These give you name, email, and profile picture. To request additional permissions:
{
id: 'google',
clientId: process.env.GOOGLE_CLIENT_ID!,
clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
scopes: ['openid', 'email', 'profile', 'https://www.googleapis.com/auth/calendar.readonly'],
}Extra scopes beyond openid email profile require your app to complete Google's verification process before they work for users outside your organization.
User data returned
| Field | Source | Notes |
|---|---|---|
id | sub claim | Stable Google user ID |
email | email claim | Verified by Google |
name | name claim | Full display name |
image | picture claim | Profile photo URL |
Initiating sign-in
Redirect users to:
GET /auth/oauth/google/authorizeOr add a query parameter to control the post-sign-in destination:
GET /auth/oauth/google/authorize?redirectTo=/dashboard