Skip to content
Open
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion main/config/navigation/authenticate.json
Original file line number Diff line number Diff line change
Expand Up @@ -191,7 +191,8 @@
"group": "For Web Applications",
"pages": [
"docs/authenticate/identity-providers/social-identity-providers/github",
"docs/authenticate/identity-providers/social-identity-providers/google"
"docs/authenticate/identity-providers/social-identity-providers/google",
"docs/authenticate/identity-providers/social-identity-providers/google-one-tap"
]
},
{
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
---
title: Google One Tap for Universal Login
description: Learn how to enable Google One Tap on your Universal Login page to let users authenticate with a single tap using their active Google session.
validatedOn: 2026-06-17
---

import { ReleaseStageNotice } from "/snippets/ReleaseStageNotice.jsx"

<ReleaseStageNotice
feature="Google One Tap"
stage="ea"
terms="true"
contact="Auth0 Support"
/>

Auth0 supports [Google One Tap](https://developers.google.com/identity/gsi/web/guides/overview) user authentication with [Universal Login](/docs/authenticate/login/auth0-universal-login/universal-login-vs-classic-login/universal-experience). Google One Tap allows users to sign in or sign up with a single tap by using an active Google session in their browser without leaving your Universal Login page. When a user with an active Google account visits your login page, the Google One Tap prompt appears as an overlay with the user's active account. The user selects it, and Auth0 validates the credential and creates a session. No redirect to Google is required.

## How it works

Google One Tap uses the [Federated Credential Management (FedCM) API](https://developer.chrome.com/docs/identity/fedcm/overview), a browser-native authentication standard that does not rely on third-party cookies or page redirects.

1. A user arrives at your Universal Login page with an active Google session in their browser.
2. Universal Login detects the active Google session and displays the Google One Tap overlay.
3. The user selects their Google account from the prompt.
4. Google returns a signed ID token to Universal Login.
5. Auth0 validates the ID token against the Google social connection configured for your tenant.
6. Auth0 creates or updates the user profile and issues Auth0 tokens.
7. The user is redirected to your application.

If the user's browser does not support FedCM, or if the user dismisses the prompt, the standard **Continue with Google** option remains available on the login page.

<Card title="Before you start">

* You must enable and configure Universal Login for your tenant. Google One Tap is not supported in the Classic Login experience. To learn more, read [Universal Login vs. Classic Login](/docs/authenticate/login/auth0-universal-login/universal-login-vs-classic-login).
* You must create and configure a Google social connection (`google-oauth2`) in your tenant. To learn more, read [Add Google Login to Your App](/docs/authenticate/identity-providers/social-identity-providers/google).

</Card>

## Enable Google One Tap

Enable Google One Tap on individual applications using the Management API.

Call the [Update a client](/docs/api/management/v2/clients/patch-clients-by-id) endpoint and set `fedcm_login.google.is_enabled` to `true`:

```json
PATCH /api/v2/clients/{id}

{
"fedcm_login": {
"google": {
"is_enabled": true
}
}
}
```

To disable Google One Tap for a specific application, set `is_enabled` to `false`.

## Considerations

### Multi-factor Authentication (MFA)

If your tenant or connection policy requires [multi-factor authentication (MFA)](/docs/secure/multi-factor-authentication), Google One Tap completes the first authentication factor using the Google ID token. Auth0 then presents the standard Universal Login MFA challenge screen for the second factor. Users complete MFA as part of the Universal Login flow.

### Enterprise connections

You can only use Google One Tap if you use a Google social connection (`google-oauth2`). It does not apply to [Google Workspace enterprise connections](/docs/authenticate/identity-providers/enterprise-identity-providers/google-apps). If your tenant uses Home Realm Discovery to route users with a corporate Google domain to an enterprise connection, that routing is unaffected.

### Browser support

Google One Tap requires browser support for the FedCM API. It is supported in Chrome and Chromium-based browsers. When FedCM is unavailable, Auth0 reverts to the standard **Continue with Google** button on your Universal Login page.

## Learn more

* [Add Google Login to Your App](/docs/authenticate/identity-providers/social-identity-providers/google)
* [Add Sign In with Google to Native Android Apps](/docs/authenticate/identity-providers/social-identity-providers/google-native)
* [Universal Login Experience](/docs/authenticate/login/auth0-universal-login/universal-login-vs-classic-login/universal-experience)
* [Enable MFA](/docs/secure/multi-factor-authentication/enable-mfa)
Original file line number Diff line number Diff line change
Expand Up @@ -36,10 +36,10 @@ Use the Google Auth Platform to:
Before creating an OAuth client ID, you must configure the OAuth consent screen with information about your application. When you use OAuth 2.0 for authorization, your application requests one or more scopes of access from a Google Account. Google displays a consent screen to the user, including a summary of your project, its policies, and the requested access scopes.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
If your application requests sensitive OAuth scopes or uses a custom image, [Google limits it to 100 logins until the OAuth consent screen is verified](https://support.google.com/cloud/answer/10311615). Consent screen verification may take up to several days.
If your application requests sensitive OAuth scopes or uses a custom image, [Google limits it to 100 logins until the OAuth consent screen is verified](https://support.google.com/cloud/answer/15549049). Consent screen verification may take up to several days.
</Callout>

In the Google Cloud Console, [configure your Google OAuth consent screen](https://support.google.com/cloud/answer/10311615):
In the Google Cloud Console, [configure your Google OAuth consent screen](https://support.google.com/cloud/answer/15549049):

<Steps>
<Step title="Configure branding">
Expand Down Expand Up @@ -123,6 +123,11 @@ Use the Auth0 Dashboard to create and configure a Google social connection with
</Step>
</Steps>

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
If you use New Universal Login, you can enable Google One Tap to give users a one-tap sign-in experience using their active Google session. To learn more, read [Google One Tap for Universal Login](/docs/authenticate/identity-providers/social-identity-providers/google-one-tap).

</Callout>

## Test the connection

Once you have created your Google social connection, verify that it works before deploying to production.
Expand All @@ -133,8 +138,9 @@ Once you have created your Google social connection, verify that it works before
4. Authenticate with your Google account when prompted.
5. Confirm that Auth0 returns user profile data, including the user's name and email address.

## Keep reading
## Learn more

* [Google One Tap for Universal Login](/docs/authenticate/identity-providers/social-identity-providers/google-one-tap)
* [Add Sign In with Google to Native Android Apps](/docs/authenticate/identity-providers/social-identity-providers/google-native)
* [Test Social Connections Using Auth0 Developer Keys](/docs/authenticate/identity-providers/social-identity-providers/devkeys)
* [Create Custom Social Connections](/docs/authenticate/identity-providers/social-identity-providers/oauth2)
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ To help you choose the best solution for your needs, the table below compares th
| **Passwordless authentication** | Yes | Yes, with [SMS or Email](/docs/authenticate/login/auth0-universal-login/passwordless-login) |
| **Email magic link** | No | [Yes](/docs/authenticate/passwordless/authentication-methods/email-magic-link) |
| **Passkeys** | [Yes](/docs/authenticate/database-connections/passkeys) | No |
| **Google One Tap** | [Yes](/docs/authenticate/identity-providers/social-identity-providers/google-one-tap) | No |
| **WebAuthn and device biometrics** | [Yes](/docs/secure/multi-factor-authentication/fido-authentication-with-webauthn) | No |
| **Web Content Accessibility Guidelines (WCAG) Compliance** | Yes | No |
| **Organizations support** | [Yes](/docs/manage-users/organizations) | No |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ The following sections provide additional details about the Universal Login expe
* If you redirect users to the `/login` page directly, they will receive an error unless you configured a default login route. To learn more, review [Configure Default Login Routes](/docs/authenticate/login/auth0-universal-login/configure-default-login-routes). You should always redirect users to the proper authorization request endpoint (e.g., `/authorize` if you are using <Tooltip tip="OpenID: Open standard for authentication that allows applications to verify users' identities without collecting and storing login information." cta="View Glossary" href="/docs/glossary?term=OpenID">OpenID</Tooltip> Connect).
* You can specify the `login_hint` when redirecting to Auth0 and use this information to populate the username/email field for the login or signup page.
* Passkeys are available as an authentication method for [database connections](/docs/authenticate/database-connections). Passkeys are a phishing-resistant alternative to traditional authentication factors (such as username/password) that offer an easier and more secure login experience to users. To learn more, review [Passkeys](/docs/authenticate/database-connections/passkeys).
* If you use a Google social connection, you can enable [Google One Tap](/docs/authenticate/identity-providers/social-identity-providers/google-one-tap) to let users sign in or sign up with a single tap using their active Google session, without leaving the Universal Login page.

### Signup

Expand Down Expand Up @@ -73,7 +74,7 @@ After a user clicks the email verification link, they'll be redirected to a page

## Password autocomplete

Universal Login pages use the [autocomplete attribute](https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete) for password fields.
Universal Login pages use the [autocomplete attribute](https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Attributes/autocomplete) for password fields.

On the signup and password reset pages, `autocomplete` is set to `"new-password"`. This signals the password manager to prompt the user to generate a secure, random password. The user has to provide explicit consent to save the password in the password manager.

Expand All @@ -91,6 +92,7 @@ To learn how to set up your application to use Universal Login, read our [Quicks

## Learn more

* [Google One Tap for Universal Login](/docs/authenticate/identity-providers/social-identity-providers/google-one-tap)
* [Configure Default Login Routes](/docs/authenticate/login/auth0-universal-login/configure-default-login-routes)
* [Configure SMS and Voice Notifications for MFA](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors/configure-sms-voice-notifications-mfa)
* [Multi-Factor Authentication Factors](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors)
Loading