Google Provider

Configure Google OAuth for authentication in your Next.js application using NextAuth.js.

Documentation

https://developers.google.com/identity/protocols/oauth2

Configuration

https://console.developers.google.com/apis/credentials

Google Console Setup

Follow these steps to configure Google OAuth:

Step 1: Create a Google Cloud Project

1. Go to Google Cloud Console
2. Click on the project dropdown at the top
3. Click "New Project"
4. Enter a project name and click "Create"

Step 2: Configure OAuth Consent Screen

1. Navigate to APIs & Services → OAuth consent screen
2. Select External user type (or Internal for Google Workspace)
3. Fill in the required fields:

4. Add scopes: email, profile, openid
5. Save and continue

Step 3: Create OAuth Credentials

1. Navigate to APIs & Services → Credentials
2. Click + CREATE CREDENTIALS → OAuth client ID
3. Select Web application as the application type
4. Enter a name for your OAuth client
5. Add Authorized JavaScript origins:

Step 4: Add Authorized Redirect URIs

The "Authorized redirect URIs" used when creating the credentials must include your full domain and end in the callback path:

Step 5: Get Client ID and Secret

1. After creating, copy the Client ID and Client Secret
2. Add them to your .env.local file:

# .env.local
GOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=your-client-secret

Options

The Google Provider comes with a set of default options. You can override any of the options to suit your own use case.

Google Provider options →

Example

// src/core/lib/auth.ts
import GoogleProvider from "next-auth/providers/google";

export const authOptions: NextAuthOptions = {
  providers: [
    GoogleProvider({
      clientId: process.env.GOOGLE_CLIENT_ID!,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
    }),
  ],
};

Force Refresh Token

Alternatively, you can pass options in the params object of authorization which will force the Refresh Token to always be provided on sign in. However, this will ask all users to confirm if they wish to grant your application access every time they sign in.

If you need access to the RefreshToken or AccessToken for a Google account and you are not using a database to persist user accounts, this may be something you need to do.

// src/core/lib/auth.ts
import GoogleProvider from "next-auth/providers/google";

export const authOptions: NextAuthOptions = {
  providers: [
    GoogleProvider({
      clientId: process.env.GOOGLE_CLIENT_ID!,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
      authorization: {
        params: {
          prompt: "consent",
          access_type: "offline",
          response_type: "code",
        },
      },
    }),
  ],
};

Restrict to Verified Domain

// src/core/lib/auth.ts
export const authOptions: NextAuthOptions = {
  providers: [
    GoogleProvider({
      clientId: process.env.GOOGLE_CLIENT_ID!,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
    }),
  ],
  callbacks: {
    async signIn({ account, profile }) {
      if (account?.provider === "google") {
        const googleProfile = profile as { email_verified?: boolean; email?: string };
        return (
          googleProfile.email_verified === true &&
          googleProfile.email?.endsWith("@example.com") === true
        );
      }
      return true;
    },
  },
};

Troubleshooting

Common Errors

Related

• Authentication Design Pattern
• Installation Guide