The Google authentication provider allows users to log in with their existing Google account through Google Sign-In. When a user logs in, Google provides MongoDB Realm with an OAuth 2.0 access token for the user. Realm uses the token to identify the user and access approved data from Google APIs on their behalf.
You can enable and configure the Google authentication provider from the Realm UI by selecting Google from the Authentication page.
The Google authentication provider has the following configuration options:
Required. An OAuth 2.0 Client ID for your project in the Google API Console.
See Set Up a Project in the Google API Console for information about setting up OAuth Credentials for your GCP project.
Optional. A list of fields describing the authenticated user that your application will request from the Google Identity API.
All metadata fields are omitted by default and can be required on a field-by-field basis. Users must explicitly grant your app permission to access each required field. If a metadata field is required and exists for a particular user, it will be included in their user object.
To require a metadata field from an import/export
configuration file, add an entry for the field to the
Required for web applications. A list of allowed redirect URIs .
Once a user completes the authentication process on Google, Realm redirects them back to either a specified redirect URI or, if no redirect URI is specified, the URL that they initiated the authentication request from. Realm will only redirect a user to a URI that exactly matches an entry in this list, including the protocol and any trailing slashes.
Optional. A list of approved domains for user accounts.
If specified, the provider checks the domain of a user's primary email address on Google and only allows them to authenticate if the domain matches an entry in this list.
For example, if
If you've specified any domain restrictions, you must also require the email address field in the Metadata Fields setting.
OpenID Connect Does Not Support Metadata Fields
Google supports OpenID as part of their OAuth 2.0 implementation but does not provide access to restricted scopes for OpenID authentication. This means that Realm cannot access metadata fields for users authenticated with OpenID Connect.
Set Up a Project in the Google API Console¶
The Google authentication provider requires a project in the Google API Console to manage authentication and user permissions. The following steps walk through creating the project, generating OAuth credentials, and configuring the provider to connect with the project.
Generate OAuth Client Credentials¶
For iOS client applications, you need to create both a Web OAuth Client ID and an iOS OAuth Client ID. The former is used by Realm, while the latter will be used by the app itself.
Refer to the Web tab of this section for instructions on creating the web application Client ID for Realm.
Follow Google's support guide on Setting up OAuth 2.0 for your project.
Use the following values when configuring your iOS application Client ID:
The name you wish to associate with this Client ID.
The Bundle ID for your iOS application. You can find this value in XCode on the General tab for the app's primary target.
Configure the Google Authentication Provider¶
To connect your GCP project to Realm add the OAuth 2.0 Client ID and Client Secret you generated in the previous step to your authentication provider configuration.
Make sure that you add the web application credentials to the provider configuration. If you add the iOS credentials instead, Google authentication will fail.
For code examples that demonstrate how to register and log in using Google authentication, see the documentation for the Realm SDKs:
To register or log in a Google user from the iOS Client SDK, see the iOS SDK guide to Google authentication.