vestibule_google
Google OAuth strategy with verified-email handling, hosted-domain enforcement, and refresh-token guidance.
When to use it
Use Google when users sign in with Google or Google Workspace accounts and your app needs normalized profile data.
Default scopes: openid email profile
Install
gleam add vestibule_googleSetup shape
- Create a Google Cloud project.
- Configure OAuth consent screen with openid, email, and profile scopes.
- Create a Web application OAuth client ID.
- Add development and HTTPS production redirect URIs exactly.
Usage
import vestibule/config
import vestibule_google
let strategy = vestibule_google.strategy()
let cfg =
config.new(
"google-client-id",
"google-client-secret",
"http://localhost:8000/auth/google/callback",
)
let workspace_strategy =
vestibule_google.strategy_for_hosted_domain("corp.example")What Vestibule handles
- UserInfo.email is only populated when email_verified is true.
- config.with_extra_params can request offline access.
- strategy_for_hosted_domain validates the hd claim server-side.
- The hd authorization parameter alone is only an account-picker hint.
Notes to keep explicit
- Google only returns a refresh token on first consent for a client/user/scope combination.
- Use access_type=offline and prompt=consent when requesting refresh tokens.