- Go to the Google API Console API Library.
- From the project drop-down, select an existing project, or create a new one. The API Console groups your information by “project” which bundles associated websites, Android apps, and iOS apps. For the Identity Toolkit API, any websites or apps in the same project will share the same user database.
Enable the Identity Toolkit API service:
- In the list of Google APIs, search for the Identity Toolkit API service.
- Select Identity Toolkit API from the results list.
- Select Enable API.
- Next, you need to set up the screen Google will show the user when you request
the user's email address. In the left-side menu under "APIs & Services",
select Credentials, then select the OAuth consent screen tab.
- Choose an Email Address, enter your website/app's name as the Product Name, and select Save.
- Next, set up your OAuth2 client ID for registering as an app that accepts Google for sign-in.
- In the Credentials tab, select the Create credentials drop-down, then select OAuth client ID.
- Under Application type, select Web application. A web server is currently required to enable full functionality, even for mobile-only applications, because some identity providers do not have native SDKs.
- Enter a client ID Name, then enter the Restrictions as
This is the URL of your site. For example, if your site is https://yoursite.com, enter that in the box. (Note that you may add multiple entries if your site can be accessed at multiple URLs.)
- Authorized redirect URIs
When you send your users to authenticate with an identity provider like Google or Yahoo, the identity provider needs a page to return to when authentication is complete. Typically this is called an Authorized Redirect or a Callback. With Identity Toolkit this will also be where your sign-in page is displayed. You may use whichever URL you would like. (Usually https://yoursite.com/callback is fine unless you prefer something else)
- Once you've completed these fields, select Create.
- Now, create a service account.
- Select the Create credentials drop-down again (you should still be on the Credentials tab), then select Service account key.
- From the Service account drop-down, select an existing service account or create a new one.
- For Key type, select the P12 key option, then select Create. The file automatically downloads to your computer.
- In the resulting pop-up window, make note of the private key's password, then select Close. Put the *.p12 file you just downloaded in a directory of your choosing. This directory must be private (you can't let anyone get access to this), but accessible to your web server code.
- Next, create a Browser API key so that your app can access Google APIs.
- Select the Create credentials drop-down, then select API key.
- From the "Create a new key" pop-up, select Browser key, and optionally set your site's URL as the allowed referrer.
- Select Create.
- You're almost there! You just need to decide which sign-in options to support.
- On the left-side menu, return to the APIs list by selecting APIs & Services.
- Select the Enabled APIs tab.
- From the list of enabled APIs, find the Identity Toolkit API, then select the gear icon to the right of the name. This action opens your sign-in page configuration.
- In the URL Configuration section of the screen, declare your URLs:
- Widget URL
From the drop-down, select a URL. This is the URL you entered earlier in the Client ID for Web application, under "Authorized Redirect URIs". This is the URL where your sign in page will appear, and it is also the URL you need to register with identity providers as your "Redirect URI".
- Sign-in Success URL
This is where users are sent after they successfully sign in. This URL will need to validate the Identity Toolkit API token and then begin an authenticated session however you see fit. Many web application frameworks will generate a session cookie for you.
- Sign-out URL
If you choose to use the User Card Widget, when the user clicks the sign out button, they are redirected to this URL.
- Send Email URL
Sometimes it may be necessary to contact the user to confirm a password reset or email change. Because of email source verification in use by many email providers, these emails must originate from your server in order to avoid being marked as spam or suspicious. Identity Toolkit API will send a POST request to this URL with email address and the content of the message, and you will need to send the email.
- Widget URL
- In the Providers section, choose which identity providers that you want to support. Some identity providers require registration. Select the provider name or down arrow to view provider options/requirements.
- (Optional) Configure Facebook login
- Go to the Facebook developer page register or log in, then select My Apps->Add a New App
- Choose the "Website" platform
- At the "Setup SDK" part of the quickstart, enter your Site URL. For this demo,
that will be
http://localhost:8000/widget. Click next. You do not need to use their code snippet.
- Once the app is set up:
- Go to the Dashboard for your app and enter the Facebook App ID as the Client ID.
- In the API Console Identity Toolkit API configuration page, enable Facebook as a provider and enter the Facebook App ID and App Secret.
- (Optional) Configure Twitter login
- Go to the Twitter Application Management page and create a new app.
- Under "Callback URL" you will have to write the URL to where you will
be hosting Identity Toolkit. For this demo that will be
- Once the app is created:
- From your app dashboard go to "Keys and Access Tokens" and copy the Consumer key and Consumer secret.
- Then, in the In the API Console Identity Toolkit API configuration page, enable Twitter as a provider and paste in your Consumer Key and Secret.
- Make sure to save your settings!
- There are two code snippets at the bottom of the page. The first
The second snippet should be saved in your server side code directory as
- The server side configuration file needs to be further configured before
use. Open the file for editing and change
serviceAccountPrivateKeyFilesetting to be equal to the path of the *.p12 or *.json file you downloaded earlier. You should use the full path, beginning with
/and ending with the full name of the *.p12 or *.json file.
Configure Google Identity Toolkit
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2021-04-20 UTC.