Google external login setup in ASP.NET Core

By Valeriy Novytskyy and Rick Anderson

This tutorial shows you how to enable your users to sign in with their Google+ account using a sample ASP.NET Core 2.0 project created on the previous page. We start by following the official steps to create a new app in Google API Console.

Create the app in Google API Console

Google API Console

  • You are redirected to API Manager Library page:

Landing on the API Manager Library page

  • Tap Create and enter your Project name:

New Project dialog

  • After accepting the dialog, you are redirected back to the Library page allowing you to choose features for your new app. Find Google+ API in the list and click on its link to add the API feature:

Search for "Google+ API" in the API Manager Library page

  • The page for the newly added API is displayed. Tap Enable to add Google+ sign in feature to your app:

Landing on the API Manager Google+API page

  • After enabling the API, tap Create credentials to configure the secrets:

Create credentials button on API Manager Google+API page

  • Choose:
    • Google+ API
    • Web server (e.g. node.js, Tomcat), and
    • User data:

API Manager Credentials page: Find out what kind of credentials you need panel

  • Tap What credentials do I need? which takes you to the second step of app configuration, Create an OAuth 2.0 client ID:

API Manager Credentials page: Create an OAuth 2.0 client ID

  • Because we are creating a Google+ project with just one feature (sign in), we can enter the same Name for the OAuth 2.0 client ID as the one we used for the project.

  • Enter your development URI with /signin-google appended into the Authorized redirect URIs field (for example: https://localhost:44320/signin-google). The Google authentication configured later in this tutorial will automatically handle requests at /signin-google route to implement the OAuth flow.


The URI segment /signin-google is set as the default callback of the Google authentication provider. You can change the default callback URI while configuring the Google authentication middleware via the inherited RemoteAuthenticationOptions.CallbackPath property of the GoogleOptions class.

  • Press TAB to add the Authorized redirect URIs entry.

  • Tap Create client ID, which takes you to the third step, Set up the OAuth 2.0 consent screen:

API Manager Credentials page: Set up the OAuth 2.0 consent screen

  • Enter your public facing Email address and the Product name shown for your app when Google+ prompts the user to sign in. Additional options are available under More customization options.

  • Tap Continue to proceed to the last step, Download credentials:

API Manager Credentials page: Download credentials

  • Tap Download to save a JSON file with application secrets, and Done to complete creation of the new app.

  • When deploying the site you'll need to revisit the Google Console and register a new public url.

Store Google ClientID and ClientSecret

Link sensitive settings like Google Client ID and Client Secret to your application configuration using the Secret Manager. For the purposes of this tutorial, name the tokens Authentication:Google:ClientId and Authentication:Google:ClientSecret.

The values for these tokens can be found in the JSON file downloaded in the previous step under web.client_id and web.client_secret.

Configure Google Authentication

Add the Google service in the ConfigureServices method in Startup.cs file:

services.AddIdentity<ApplicationUser, IdentityRole>()

services.AddAuthentication().AddGoogle(googleOptions =>
    googleOptions.ClientId = Configuration["Authentication:Google:ClientId"];
    googleOptions.ClientSecret = Configuration["Authentication:Google:ClientSecret"];

The call to AddIdentity configures the default scheme settings. The AddAuthentication(String) overload sets the DefaultScheme property. The AddAuthentication(Action<AuthenticationOptions>) overload allows configuring authentication options, which can be used to set up default authentication schemes for different purposes. Subsequent calls to AddAuthentication override previously configured AuthenticationOptions properties.

AuthenticationBuilder extension methods that register an authentication handler may only be called once per authentication scheme. Overloads exist that allow configuring the scheme properties, scheme name, and display name.

Multiple authentication providers

When the app requires multiple providers, chain the provider extension methods behind AddAuthentication:

    .AddMicrosoftAccount(microsoftOptions => { ... })
    .AddGoogle(googleOptions => { ... })
    .AddTwitter(twitterOptions => { ... })
    .AddFacebook(facebookOptions => { ... });

The project template used in this tutorial ensures that Microsoft.AspNetCore.Authentication.Google package is installed.

  • To install this package with Visual Studio 2017, right-click on the project and select Manage NuGet Packages.
  • To install with .NET Core CLI, execute the following in your project directory:

dotnet add package Microsoft.AspNetCore.Authentication.Google

Add the Google middleware in the Configure method in Startup.cs file:

app.UseGoogleAuthentication(new GoogleOptions()
    ClientId = Configuration["Authentication:Google:ClientId"],
    ClientSecret = Configuration["Authentication:Google:ClientSecret"]

See the GoogleOptions API reference for more information on configuration options supported by Google authentication. This can be used to request different information about the user.

Sign in with Google

Run your application and click Log in. An option to sign in with Google appears:

Web application running in Microsoft Edge: User not authenticated

When you click on Google, you are redirected to Google for authentication:

Google authentication dialog

After entering your Google credentials, then you are redirected back to the web site where you can set your email.

You are now logged in using your Google credentials:

Web application running in Microsoft Edge: User authenticated

Forward request information with a proxy or load balancer

If the app is deployed behind a proxy server or load balancer, some of the original request information might be forwarded to the app in request headers. This information usually includes the secure request scheme (https), host, and client IP address. Apps don't automatically read these request headers to discover and use the original request information.

The scheme is used in link generation that affects the authentication flow with external providers. Losing the secure scheme (https) results in the app generating incorrect insecure redirect URLs.

Use Forwarded Headers Middleware to make the original request information available to the app for request processing.

For more information, see Configure ASP.NET Core to work with proxy servers and load balancers.


  • If you receive a 403 (Forbidden) error page from your own app when running in development mode (or break into the debugger with the same error), ensure that Google+ API has been enabled in the API Manager Library by following the steps listed earlier on this page. If the sign in doesn't work and you aren't getting any errors, switch to development mode to make the issue easier to debug.
  • ASP.NET Core 2.x only: If Identity isn't configured by calling services.AddIdentity in ConfigureServices, attempting to authenticate will result in ArgumentException: The 'SignInScheme' option must be provided. The project template used in this tutorial ensures that this is done.
  • If the site database has not been created by applying the initial migration, you will get A database operation failed while processing the request error. Tap Apply Migrations to create the database and refresh to continue past the error.

Next steps

  • This article showed how you can authenticate with Google. You can follow a similar approach to authenticate with other providers listed on the previous page.

  • Once you publish your web site to Azure web app, you should reset the ClientSecret in the Google API Console.

  • Set the Authentication:Google:ClientId and Authentication:Google:ClientSecret as application settings in the Azure portal. The configuration system is set up to read keys from environment variables.