Skip to main content
Auth0 supports Google One Tap user authentication with Universal Login. Google One Tap allows users to sign in or sign up with a single tap by using an active Google session in their browser without leaving your Universal Login page. When a user with an active Google account visits your login page, the Google One Tap prompt appears as an overlay with the user’s active account. The user selects it, and Auth0 validates the credential and creates a session. No redirect to Google is required.

How it works

Google One Tap uses the Federated Credential Management (FedCM) API, a browser-native authentication standard that does not rely on third-party cookies or page redirects.
  1. A user navigates to your Universal Login page with an active Google session in their browser.
  2. Universal Login detects the active Google session and displays the Google One Tap overlay.
  3. The user selects their Google account from the prompt.
  4. Google returns a signed ID token to Universal Login.
  5. Auth0 validates the ID token against the Google social connection configured for your tenant.
  6. Auth0 creates or updates the user profile and issues Auth0 tokens.
  7. Auth0 redirects the user to your application.
If the user’s browser does not support FedCM, or if the user dismisses the prompt, the standard Continue with Google option remains available on the login page. If the user dismisses the prompt, Google applies an exponential cooldown timeframe for each time One Tap is dismissed by the user.

Before you start

  • You must enable and configure Universal Login for your tenant. Google One Tap is not supported in the Classic Login experience. To learn more, read Universal Login vs. Classic Login.
  • You must create and configure a Google social connection (google-oauth2) in your tenant. To learn more, read Add Google Login to Your App.

Enable Google One Tap

Enable Google One Tap on individual applications with Auth0 Dashboard, the Management API, or an Auth0 SDK.
  1. Navigate to Auth0 Dashboard > Applications.
  2. Create a new application or choose an existing application to use with Google One Tap.
  3. Under Settings, search for Social Login and toggle on Allow Google One Tap.
    Enable Google One Tap
  4. Select Save.
  5. Navigate to Auth0 Dashboard > Authentication > Social.
  6. Create a new Google social connection or select your existing google-oauth2 connection.
  7. Under the connection settings:
    • Under the Settings tab, verify your Google Client ID and Client Secret. You cannot use Auth0 developer keys with the One Tap integration.
    • Under the Applications tab, verify the application you want to use for One Tap is toggled on.
  8. Select Save.

Considerations

Advanced Customizations for Universal Login (ACUL)

ACUL customization applies to Google One Tap. If you have customized the login,login-id,signup, or signup-id screens, your configurations apply. To learn more about ACUL, read Configure ACUL.

Multi-factor authentication (MFA)

If your tenant or connection policy requires multi-factor authentication (MFA), Google One Tap completes the first authentication factor using the Google ID token. Auth0 then presents the standard Universal Login MFA challenge screen for the second factor. Users complete MFA as part of the Universal Login flow.

Enterprise connections

You can only use Google One Tap if you use a Google social connection (google-oauth2). It does not apply to Google Workspace enterprise connections. If your tenant uses Home Realm Discovery to route users with a corporate Google domain to an enterprise connection, that routing is unaffected.

Browser support

Google One Tap requires browser support for the FedCM API. Auth0 passes "itp_support: true" to the One Tap library by default. It is supported in Chrome and Chromium-based browsers. When browsers, such as iOS and Firefox, do not support FedCM, a different UX is provided.

Learn more