Google OAuth¶
Sign in with Google. Requires the oauth extra (httpx).
from fastauth.providers.google import GoogleProvider
GoogleProvider(client_id="...", client_secret="...", scopes=None)
# default scopes: ["openid", "email", "profile"]
Prerequisites¶
- Create OAuth 2.0 credentials in the Google Cloud Console.
- Add the FastAuth callback URL to Authorized redirect URIs:
https://your-app.example/auth/oauth/google/callback. - Set
oauth_allowed_redirect_uris=["https://your-app.example/auth/oauth/google/callback"]on the config.
Setup¶
from fastauth import FastAuth, FastAuthConfig
from fastauth.providers.google import GoogleProvider
from fastauth.session_backends.redis import RedisSessionBackend
config = FastAuthConfig(
...,
providers=[
CredentialsProvider(),
GoogleProvider(client_id=os.environ["GOOGLE_CLIENT_ID"],
client_secret=os.environ["GOOGLE_CLIENT_SECRET"]),
],
oauth_adapter=adapter.oauth,
oauth_state_store=RedisSessionBackend(url=os.environ["REDIS_URL"]),
oauth_redirect_url="https://app.example.com/auth/callback",
oauth_allowed_redirect_uris=[
"https://your-app.example/auth/oauth/google/callback",
],
)
See OAuth feature for the flow, link/unlink endpoints, and security details.
Email policy¶
get_user_info reads the email from the Google userinfo endpoint. If Google reports email_verified=True and the matched user is not yet verified, FastAuth flips email_verified=True on the user.
Refresh¶
GoogleProvider.refresh_access_token(refresh_token) returns a refreshed token dict. Stored provider tokens (store_oauth_provider_tokens=True) currently never trigger an automatic refresh — the expires_at column on OAuthAccountData is not populated by FastAuth. (needs maintainer clarification)
Common mistakes¶
redirect_uri_mismatchat Google — the URL registered with Google and theredirect_uriyou pass to/auth/oauth/google/authorizemust match exactly, including scheme and trailing slash.- Multi-worker +
MemorySessionBackend— OAuth state written on worker A is invisible to worker B →400 Invalid OAuth state. Use Redis.