Skip to main content

Overview

The Google provider enables authentication using Google accounts. It implements the OAuth 2.0 protocol and supports PKCE for enhanced security.

Installation

npm install @arraf-auth/google

Setup

1. Create OAuth Credentials

  1. Go to Google Cloud Console
  2. Create a new project or select an existing one
  3. Navigate to APIs & Services > Credentials
  4. Click Create Credentials > OAuth client ID
  5. Select Web application
  6. Add your authorized redirect URIs:
    • Development: http://localhost:3000/api/auth/callback/google
    • Production: https://yourdomain.com/api/auth/callback/google
  7. Save your Client ID and Client Secret

2. Configure Environment Variables

GOOGLE_CLIENT_ID=your_client_id_here
GOOGLE_CLIENT_SECRET=your_client_secret_here

Configuration

import { google } from "@arraf-auth/google"

GoogleProviderConfig

clientId
string
required
OAuth 2.0 client ID from Google Cloud Console
clientSecret
string
required
OAuth 2.0 client secret from Google Cloud Console
redirectUri
string
required
The callback URL where users will be redirected after authentication
scopes
string[]
OAuth scopes to request. Defaults to ["openid", "email", "profile"]

Usage

import { ArrafAuth } from "@arraf-auth/core"
import { google } from "@arraf-auth/google"
import { adapter } from "./db"

const auth = new ArrafAuth({
    secret: process.env.AUTH_SECRET!,
    database: adapter,
    providers: [
        google({
            clientId: process.env.GOOGLE_CLIENT_ID!,
            clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
            redirectUri: `${process.env.NEXT_PUBLIC_APP_URL}/api/auth/callback/google`,
        }),
    ],
})

export default auth

Custom Scopes

Request additional permissions from Google: 
google({
    clientId: process.env.GOOGLE_CLIENT_ID!,
    clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
    redirectUri: "https://yourdomain.com/api/auth/callback/google",
    scopes: [
        "openid",
        "email",
        "profile",
        "https://www.googleapis.com/auth/calendar.readonly",
    ],
})

Available Scopes

  • openid - OpenID Connect authentication
  • email - User’s email address
  • profile - User’s basic profile information
  • https://www.googleapis.com/auth/calendar.readonly - Read-only calendar access
  • https://www.googleapis.com/auth/drive.readonly - Read-only Drive access
See Google OAuth Scopes for a complete list.

Implementation Details

The Google provider is implemented in /home/daytona/workspace/source/packages/providers/google/src/index.ts:1: 
export function google(config: GoogleProviderConfig): OAuthProvider {
    const scopes = config.scopes ?? [
        "openid",
        "email",
        "profile",
    ]

    return {
        id: "google",
        name: "Google",
        clientId: config.clientId,
        clientSecret: config.clientSecret,
        scopes,

        getAuthorizationUrl(state: string, codeVerifier?: string) {
            const params: Record<string, string> = {
                client_id: config.clientId,
                redirect_uri: config.redirectUri,
                response_type: "code",
                scope: scopes.join(" "),
                state,
                access_type: "offline",
                prompt: "consent",
            }

            if (codeVerifier) {
                params.code_challenge_method = "S256"
            }

            return buildAuthorizationUrl(
                "https://accounts.google.com/o/oauth2/v2/auth",
                params
            )
        },

        async exchangeCode(code: string, codeVerifier?: string) {
            // Token exchange implementation
        },

        async getUserProfile(accessToken: string) {
            // User profile fetching implementation
        },
    }
}

User Profile

The provider returns the following user profile data:
id
string
Google user ID (from sub claim)
email
string
User’s email address
name
string
User’s full name
image
string
URL to user’s profile picture
emailVerified
boolean
Whether the email has been verified by Google

Features

  • Full OAuth 2.0 implementation
  • PKCE support for enhanced security
  • Automatic token refresh with access_type: "offline"
  • Email verification status from Google
  • Profile picture retrieval
The provider automatically requests access_type: "offline" and prompt: "consent" to ensure a refresh token is always returned.

Troubleshooting

Redirect URI Mismatch

Ensure the redirect URI in your code exactly matches one configured in Google Cloud Console, including the protocol (http/https) and trailing slashes.

Missing Email

If the email is not returned, verify that the email scope is included in your configuration.

Invalid Client Error

Double-check that your GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET environment variables are correctly set.

Build docs developers (and LLMs) love

Get started for freeTalk to us