Google

Allow users to sign in with their Google account. YorAuth uses Google's OAuth 2.0 flow with access_type=offline and prompt=consent, which causes Google to return a refresh token on every authorization so connections stay active after the initial access token expires.

Google Cloud Console Setup

1. Create a Project

Go to console.cloud.google.com and create a new project, or select an existing one.

2. Enable the OAuth Consent Screen

Navigate to APIs & Services > OAuth consent screen.

• Choose External if your users are outside your Google Workspace organization, or Internal for Workspace-only apps.
• Fill in the app name, support email, and developer contact email.
• Add the scopes your application needs (see Default Scopes below).
• Under Test users, add any email addresses you want to test with while the app is in testing mode.

3. Create OAuth Credentials

Navigate to APIs & Services > Credentials > Create Credentials > OAuth client ID.

• Application type: Web application
• Name: A label for your own reference (e.g. "YorAuth Production")
• Authorized redirect URIs: Add the gate callback URL for your application:

https://gate.yorauth.com/oauth/google/callback

You can retrieve the exact callback URL for your application from the dashboard API:

curl -X GET "https://api.yorauth.com/api/dashboard/applications/{applicationId}/providers/{providerId}/callback-url" \
  -H "Authorization: Bearer your-api-key"

After saving, Google will display your Client ID and Client Secret. Keep these — you will need them when configuring the provider in YorAuth.

Default Scopes

Gate requests the following scopes by default for Google:

You can override or extend this list when configuring the provider.

Configuration in YorAuth

Once you have your Client ID and Client Secret from Google, configure the provider for your application:

curl -X POST "https://api.yorauth.com/api/dashboard/applications/{applicationId}/providers/configure" \
  -H "Authorization: Bearer your-api-key" \
  -H "Content-Type: application/json" \
  -d '{
    "provider_id": "{googleMarketplaceProviderId}",
    "configuration_mode": "byoa",
    "client_id": "your-client-id.apps.googleusercontent.com",
    "client_secret": "your-client-secret",
    "scopes": ["openid", "email", "profile"]
  }'

The provider_id is the marketplace entry for Google. Retrieve the full list of marketplace providers to find it:

curl "https://api.yorauth.com/api/dashboard/applications/{applicationId}/providers/marketplace?search=google" \
  -H "Authorization: Bearer your-api-key"

Google-Specific Behavior

Refresh Tokens

Gate always sends access_type=offline and prompt=consent when redirecting to Google. This forces Google to return a refresh token on every authorization, even if the user has previously authorized your application.

Without prompt=consent, Google only returns a refresh token on the first authorization. By always requesting consent, YorAuth ensures connections can be refreshed automatically when the access token expires.

Token Expiry

Google access tokens expire after 1 hour. YorAuth stores the expires_at timestamp and uses the refresh token to obtain a new access token automatically before it expires.

Sensitive Scopes

If you request scopes beyond the defaults (such as https://www.googleapis.com/auth/calendar), Google requires your app to pass a verification process. Unverified apps can only be authorized by the addresses on your test users list.

Testing the Flow

Once configured, generate a test login URL from the dashboard to verify the provider appears on your hosted login page:

curl "https://api.yorauth.com/api/dashboard/applications/{applicationId}/providers/{configId}/test-login-url" \
  -H "Authorization: Bearer your-api-key"

The response includes an authorize_url you can open in a browser to test the full sign-in flow.