Skip to content

Google OAuth

Sign in with Google. Requires the oauth extra (httpx).

from fastauth.providers.google import GoogleProvider

GoogleProvider(client_id="...", client_secret="...", scopes=None)
# default scopes: ["openid", "email", "profile"]

Prerequisites

  1. Create OAuth 2.0 credentials in the Google Cloud Console.
  2. Add the FastAuth callback URL to Authorized redirect URIs: https://your-app.example/auth/oauth/google/callback.
  3. Set oauth_allowed_redirect_uris=["https://your-app.example/auth/oauth/google/callback"] on the config.

Setup

from fastauth import FastAuth, FastAuthConfig
from fastauth.providers.google import GoogleProvider
from fastauth.session_backends.redis import RedisSessionBackend

config = FastAuthConfig(
    ...,
    providers=[
        CredentialsProvider(),
        GoogleProvider(client_id=os.environ["GOOGLE_CLIENT_ID"],
                       client_secret=os.environ["GOOGLE_CLIENT_SECRET"]),
    ],
    oauth_adapter=adapter.oauth,
    oauth_state_store=RedisSessionBackend(url=os.environ["REDIS_URL"]),
    oauth_redirect_url="https://app.example.com/auth/callback",
    oauth_allowed_redirect_uris=[
        "https://your-app.example/auth/oauth/google/callback",
    ],
)

See OAuth feature for the flow, link/unlink endpoints, and security details.

Email policy

get_user_info reads the email from the Google userinfo endpoint. If Google reports email_verified=True and the matched user is not yet verified, FastAuth flips email_verified=True on the user.

Refresh

GoogleProvider.refresh_access_token(refresh_token) returns a refreshed token dict. Stored provider tokens (store_oauth_provider_tokens=True) currently never trigger an automatic refresh — the expires_at column on OAuthAccountData is not populated by FastAuth. (needs maintainer clarification)

Common mistakes

  • redirect_uri_mismatch at Google — the URL registered with Google and the redirect_uri you pass to /auth/oauth/google/authorize must match exactly, including scheme and trailing slash.
  • Multi-worker + MemorySessionBackend — OAuth state written on worker A is invisible to worker B → 400 Invalid OAuth state. Use Redis.