Third-party cookie deprecation does not affect user authorization flows, including these methods.
- Home
- Products
- Google Identity
- Authorization
- Web
Web apps must obtain an access token to securely call Google APIs.
The Google Identity Services JavaScript library supports both authentication foruser sign-in and authorization to obtain an access token for use with GoogleAPIs. The library is intended only for use in browsers.
Authentication establishes who someone is, and is commonly referred to as usersign-up or sign-in. Authorization is the process of granting or rejecting accessto data or resources. It includes obtaining and managing user consent, limitingthe amount of data or resources shared with scopes, and retrieving an accesstoken for use with Google APIs.
These guides cover authorization and data sharing topics.
How user authorization works describes the individual steps of userauthorization in detail and includes user dialog examples.
If you are looking for help with authentication and how to implement usersign-up and sign-in see Sign In With Google.
This library is not intended for use with server-side JavaScript frameworks suchas Node.js, instead use Google's Node.js client library.
What's changed
For users, the Google Identity Services library offers numerous usabilityimprovements over earlier JavaScript libraries, including:
- Authentication for user sign-in, and authorization to obtain an access tokento call Google APIs, now have two separate and distinct user flows; one forsign-in and another for consent during authorization, with separateuser flows to clearly differentiate who you are, from what an app can do.
- Improved visibility and granular control of data sharing during userconsent.
- Browser based pop-up dialogs to reduce friction, and which do not requireusers to leave your site to:
- obtain an access token from Google, or
- send an authorization code to your backend platform.
For developers, our focus has been to reduce complexity, improve security, andmake your integration as quick and easy as possible. Some of these changes are:
- User authentication for sign-in, and authorization used to obtainan access token to call Google APIs, are two separate and distinct sets ofJavaScript objects, and methods. This reduces the complexity and amount ofdetail required to implement authentication or authorization.
- A single JavaScript library now supports both the:
- OAuth 2.0 implicit flow, used to obtain an access token for usein-browser
- OAuth 2.0 authorization code flow, also known as offline access, andinitiates securely delivering an authorization code to your backendplatform, where it can be exchanged for an access token and refreshtoken. Previously, these flows were only available by using multiplelibraries and through direct calls to OAuth 2.0 endpoints. A singlelibrary decreases your integration time and effort, instead of includingand learning multiple libraries and OAuth 2.0 concepts you can focus ona single, unified interface.
- Indirection through getter style functions has been removed for simplicityand readability.
- When handling authorization responses you choose whether or not to use aPromise to fulfill requests, instead of that decisionbeing made for you.
- The Google API Client Library for JavaScript has beenupdated with these changes:
- the
gapi.auth2
module and associated objects and methods are no longerautomatically loaded for you behind the scenes, and have been replacedwith more explicit Google Identity Services library objects and methods. - Automatic refresh of expired access tokens has been removed to improveuser security and awareness. After an access token expires your app musthandle Google API error responses, request, and obtain a new, validaccess token.
- To support a clear separation of authentication and authorizationmoments, simultaneously signing a user in to your app and to theirGoogle Account while also issuing an access token is no longersupported. Previously, requesting an access token also signed users intotheir Google Account and returned a JWT ID token credential for userauthentication.
- the
- To increase user security and privacy, per user credentials issued forauthorization follow the principle of least privilege by including only anaccess token and information required to manage it.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2023-08-28 UTC.
[{ "type": "thumb-down", "id": "missingTheInformationINeed", "label":"Missing the information I need" },{ "type": "thumb-down", "id": "tooComplicatedTooManySteps", "label":"Too complicated / too many steps" },{ "type": "thumb-down", "id": "outOfDate", "label":"Out of date" },{ "type": "thumb-down", "id": "samplesCodeIssue", "label":"Samples / code issue" },{ "type": "thumb-down", "id": "otherDown", "label":"Other" }] [{ "type": "thumb-up", "id": "easyToUnderstand", "label":"Easy to understand" },{ "type": "thumb-up", "id": "solvedMyProblem", "label":"Solved my problem" },{ "type": "thumb-up", "id": "otherUp", "label":"Other" }]