Google Authenticator

The Google Authenticator uses OpenID Connect to authenticate using Google accounts. To use it, you need to configure certain things in Google. The steps to do this are described below.

Configuring Google

To use Google accounts in the Authentication Service, you need to register it as a OAuth client in Google. To do this, add a new client in the Google Developer Console.

Create a new Project

In the Google Developer Console, click Create project. For step by step instructions on how to create a project, refer to the Google Developer Console Help.


Fig. 73 Google - Create Project

Give your project a name, for instance CurityLogin.


Fig. 74 Google - Set project name

Click Create.

Add Credentials

Now click New credentials, and choose to create an OAuth client ID.


Fig. 79 Google - New credentials

In this section of the setup:

  • Choose Web Application;
  • Add a name for the client, for instance Curity;
  • The Authentication Service does not use JavaScript for OpenID Connect, so you can leave Authorized JavaScript origins empty;
  • Add redirect URI as described in the The Redirect URI section below; and
  • Click Create.

Fig. 80 Google - Create client

The new client ID and secret will be displayed. These are the credentials you need to configure the Authentication Service. Take note of them.


Fig. 81 Google - Client credentials


If you loose your client ID and secret, you can download them from Google again at any point.

The Redirect URI

The redirect URI is the URI where Google will redirect the user when the authentication is done. The URI that the Authentication Service uses is generated automatically based on configuration, and is the path to the authenticator with an added /callback. This last part of the path is only used in the communication between the Authentication Service and Google, and can not be changed whereas the preceding components of the path can be.

The form is like this:


For example, for a server running on server1.local and a protocol of https and listening on port 8443 and having an authentication endpoint configured to be /authn/authenticate and with a Google authenticator instance called google1, the redirect URI would be:


Configuration in the Authentication Service

The general authenticator configuration is described under Authenticator Base Configuration. This section describes the additional parameters that are available for the Google authenticator.


Authenticator base is /profiles/profile{id type}/settings/authentication-service/authenticators/

List Entry: <authenticator_base>/authenticator/ (key id)

client_id: The OAuth 2 client ID that is registered at Google
type string mandatory
client_secret: The OAuth 2 client secret that is registered at Google
type string mandatory
scope: The scopes to ask Google for as a space-separated list
type string
clock_skew: The allowed clock-skew in seconds when validating the login token from Google
type uint32 default 60
map-to-subject: If another claim should be used as the subject, name it here
type string


<authenticator xmlns="">
    <google xmlns="">