Navigation

Google Authentication

Google authentication allows users to log into a MongoDB Stitch application with an existing Google account. You can do this by adding Google Sign-In to your client application, and configuring it to work with Stitch’s authentication framework.

Create OAuth Client ID Credentials

Follow the instructions found on the Google’s support website for creating OAuth 2.0 client ID credentials for your application.

For detailed instructions on completing credential creation, select the tab below that matches your chosen SDK.

  • For Application Type, select Web application.

  • For Name, enter the name you want to associate

    with this client ID.

  • For Authorized JavaScript origins, enter the following:

    https://stitch.mongodb.com
    
  • For Authorized redirect URIs, enter the following:

    https://stitch.mongodb.com/api/client/v2.0/auth/callback
    
  • Click Create to finish.

  • For Application Type, select Android.

  • For Name, enter a name to associate with the client ID.

  • For Signing-certificate fingerprint, enter a SHA1 certificate fingerprint. You can generate a debug fingerprint by running the following command in a terminal or Windows Command Prompt:

    keytool -exportcert -alias androiddebugkey -keystore <path to debug.keystore> -list -v
    

    For example, use the following command in a MacOS or Linux terminal to generate the SHA1 fingerprint using the Android debug fingerprint:

    keytool -exportcert -alias androiddebugkey -keystore ~/.android/debug.keystore -list -v
    

    Tip

    If you are using the ~/.android/debug.keystore, enter android as the password when prompted.

    Use the following command from a Windows Command Prompt to generate the SHA1 fingerprint:

    keytool -exportcert -alias androiddebugkey -keystore %HOMEPATH%\.android\debug.keystore -list -v
    
  • Enter the package name from your AndroidManifest.xml file, and

    then click Create.

Note

When developing an iOS client application, you need to create both a Web OAuth client ID and an iOS OAuth client ID. The former is used by Stitch, while the latter will be used by the app itself. Refer to the Web tab to create the OAuth client ID for Stitch.

  • For Application Type, select iOS.
  • Provide a name for you application.
  • Specify your Bundle ID. To find the Bundle ID
    in XCode, select the General tab for the primary target of your iOS application.
  • Click Create. The page displays a dialog with your new
    OAuth 2.0 client ID. If you created a Web application, the dialog also includes the OAuth 2.0 client secret. Copy these values for use in the steps below.
  • When you close the dialog, the page displays a list of OAuth clients,
    with the one you just created at the top of the list.

Enable and Configure Google Authentication in MongoDB Stitch

Once you have the Web Client ID and Client Secret, use the following procedure in the MongoDB Stitch admin console to enable and configure the Google authentication provider:

  1. Click Users from the left-side navigation.

  2. Select the Providers tab.

  3. For Google, click the Edit button.

  4. In the Google provider settings:

    1. Switch the Provider Status toggle to enabled.

    2. Enter values for the following fields as appropriate:

      Field Description
      Client ID Required. The OAuth 2.0 client ID for the web application credentials you created in the Google Cloud Console.
      Client Secret Required. The OAuth 2.0 client secret for the web application credentials you created in the Google Cloud Console.
      Redirect URIs

      Required for web applications. These are the URIs that MongoDB Stitch is allowed to redirect the end user to after completing the authentication step. If a redirect URL is specified in the authentication process and it’s not an exact match with one of the URIs specified in this configuration setting, there will be an error.

      For example, if MongoDB Stitch needs to redirect to http://myapp.example.com/ after authentication, you must specify the URI exactly, including the preceding http and the trailing slash.

      Domain Restrictions

      Optional. If specified, accounts can only be created in MongoDB Stitch through this authentication provider when the email address of the Google account has one of the domains specified here.

      For example, if mycompany.com and mycompany.org are specified here, Google accounts where the email address is jane@mycompany.com or john@mycompany.org would be permitted, whereas emails like bob@gmail.com would be restricted.

      If you’ve specified any domain restrictions, you must also expose the email address field in the Metadata Fields setting.

      Metadata Fields

      Optional. The fields selected here will determine which fields from the user’s Google account are exposed in the data field of the user in MongoDB Stitch.

      If you’ve specified any domain restrictions, you must at a minimum expose the email address field.

    3. Click Save.

Incorporate into a Client Application

Web applications

In web applications, the Google authentication provider works by redirecting the user to a Google webpage that handles authentication. After the user logs in, the page redirects the user back to your application with a MongoDB Stitch session at a URL of your choice.

In the JavaScript SDK, you can call the authenticate() method on the StitchClient with the "google" argument to trigger this authentication flow.

See Initialize StitchClient for more details on initializing a StitchClient in your application.

yourStitchClient.authenticate("google");

No redirect URL is specified here, so by default, the end user will be redirected back to the current root URL after they complete the Google sign-in. The current root URL is the current URL, minus any fragment identifiers.

For example, if the current page is http://myexample.com/dashboard/#login, the default redirect URI will be http://myexample.com/dashboard/.

If you would like to specify a specific URL to redirect to, you can call the authenticate method on the StitchClient with an additional options argument that specifies the redirectUrl.

yourStitchClient.authenticate("google", { redirectUrl:
"<your-redirect-url>" });

If the redirect URL (default or otherwise) is not in the list of valid redirect URIs specified when you set up the Google authentication provider, the login flow will not successfully complete.

Mobile applications

In mobile applications, this redirect step is not necessary. The Google Sign-In is handled on the device by the Google Sign-In SDK for your specific platform. You provide the SDK with a callback function that calls the authentication method in your MongoDB Stitch SDK. In Stitch mobile Apps, the callback function calls the StitchClient’s login method, passing in the Google authentication provider object. The provider object has been initialized with the authentication code returned from the Google Sign-In SDK.

Tip

In Android, you can get the authentication code by calling getServerAuthCode() on the GoogleSignInAccount object returned on a successful sign-in.

In iOS, you can get the authentication code by accessing the serverAuthCode property on the GIDGoogleUser object returned on a successful sign-in.

Tip

If you are having trouble getting the SDK to authenticate with MongoDB Stitch using the Google authentication provider, ensure that when logging in with the Google Sign-In SDK, you are requesting permission to access all the metadata that you’ve configured Stitch to request in the admin console.

See this page in the Google Sign-In Android documentation, or this page in the Google Sign-In iOS documentation for details on how to do this. A list of available scopes to request can be found here.

For detailed examples of how to incorporate Google authentication in a client application, each of the ToDo sample apps contain code for authenticating with Google.