--- title: Social Google node description: Duplicates OAuth 2.0 node, but is preconfigured to work with Google. You specify only the Client ID and Client Secret. component: auth-node-ref version: 7.3 page_id: auth-node-ref::am-only/auth-node-social-google canonical_url: https://docs.pingidentity.com/auth-node-ref/7.3/am-only/auth-node-social-google.html section_ids: outcomes: Outcomes properties: Properties example: Example --- # Social Google node Duplicates [OAuth 2.0 node](auth-node-oauth2.html), but is preconfigured to work with Google. You specify only the `Client ID` and `Client Secret`. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This node and its related services, are deprecated.For information about the legacy/deprecated social authentication node and module implementations, refer to [Social authentication](https://backstage.forgerock.com/docs/am/7/authentication-guide/about-social-authn.html) in the *AM 7 Authentication and Single Sign-On Guide*. | ## Outcomes * `Account exists` * `No account exists` Evaluation continues along the `Account Exists` path if an account matching the attributes retrieved from Google are found in the user data store; otherwise, evaluation continues along the `No account exists` path. ## Properties | Property | Usage | | ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Client ID *(required)* | Specifies the `client_id` parameter as provided by Google. | | Client Secret *(required)* | Specifies the `client_secret` parameter as provided by Google. | | Authentication Endpoint URL | Specifies the URL to the social provider's endpoint handling authentication as described in [section 3.1 of The OAuth 2.0 Authorization Framework (RFC 6749)](https://www.rfc-editor.org/rfc/rfc6749.html#section-3.1).Default: `https://accounts.google.com/o/oauth2/v2/auth` | | Access Token Endpoint URL | Specifies the URL to the endpoint handling access tokens as described in [section 3.2 of The OAuth 2.0 Authorization Framework (RFC 6749)](https://www.rfc-editor.org/rfc/rfc6749.html#section-3.2).Default: `https://www.googleapis.com/oauth2/v4/token` | | User Profile Service URL | Specifies the user profile URL that returns profile information.Default: `https://www.googleapis.com/oauth2/v3/userinfo` | | OAuth Scope | Specifies a space-separated list of user profile attributes the client application requires, according to [The OAuth 2.0 Authorization Framework (RFC 6749)](https://www.rfc-editor.org/info/rfc6749). The list depends on the permissions the resource owner, such as the end user, grants to the client application.Default: `profile email`. | | Redirect URL | Specifies the URL the user is redirected to by Google after authenticating to continue the flow\.Set this property to the URL of the AM UI. For example, `https://openam.example.com:8443/openam/XUI/`. If the tree is not in the Top Level Realm, you can specify the realm in the redirect URL. Use a DNS alias for the realm, or add the realm as a query parameter; for example, https\://openam.example.com:8443/openam/XUI/?realm=/mySubRealm. For more information, refer to Configure DNS aliases to access a realm. | | Social Provider | Specifies the name of the social provider for which this node is being set up.Default: `google` | | Auth ID Key | Specifies the attribute the social identity provider uses to identify an authenticated individual.Default: `sub` | | Use Basic Auth | Specifies that the client uses HTTP Basic authentication when authenticating to Google.Default: `true` | | Account Provider | Specifies the name of the class that implements the account provider.Default: `org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider` | | Account Mapper | Specifies the name of the class that implements the method of locating local accounts based on the attributes returned from Google.Default: `org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper` | | Attribute Mapper | Specifies the list of fully qualified class names for implementations that map attributes from Google to AM profile attributes.Default: `org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper\|iplanet-am-user-alias-list\|google-` | | Account Mapper Configuration | Specifies the attribute configuration used to map the account of the user authenticated in the Social Google provider to the local data store in AM. Valid values are in the form `provider-attr=local-attr`.Default: `sub=uid`. When using the org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper class, you can parse JSON objects in mappings using dot notation. For example, given a JSON payload of: { "sub" : "12345", "name" : { "first\_name" : "Demo", "last\_name" : "User" } } You can create a mapper, such as name.first\_name=cn. | | Attribute Mapper Configuration | Map of Google user account attributes to local user profile attributes, with values in the form `provider-attr=local-attr`.Default: `sub=uid`, `name=cn`, `given_name=givenName`, `family_name=sn`, `email=mail`. When using the org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper class, you can parse JSON objects in mappings using dot notation. For example, given a JSON payload of: { "sub" : "12345", "name" : { "first\_name" : "Demo", "last\_name" : "User" } } You can create a mapper, such as name.first\_name=cn. | | Save attributes in the session | When enabled, saves the attributes in the Attribute Mapper Configuration field to the AM session.Default: `true`. | | OAuth 2.0 Mix-Up Mitigation Enabled | Controls whether the authentication node carries out additional verification steps when it receives the authorization code from the authorization server.Specifies that the client must compare the issuer identifier of the authorization server upon registration with the issuer value returned as the `iss` response parameter. If they do not match, the client must abort the authorization process. The client must also confirm that the authorization server's response is intended for the client by comparing the client's client identifier to the value of the `client_id` response parameter.The Token Issuer property must be entered when the OAuth 2.0 Mix-Up Mitigation feature is enabled, so that the validation can succeed. The authorization code response contains an issuer value (`iss`) for the client to validate.For more information, refer to [section 4 of OAuth 2.0 Mix-Up Mitigation Draft](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mix-up-mitigation-01#section-4). | | Token Issuer | Corresponds to the expected issuer identifier value in the `iss` field of the ID token.Example: `https://accounts.google.com` | ## Example The following example shows the node in context: ![Anonymous user mapping after social authentication](../_images/trees-node-Google-AnonymousUser-example.png)