accounts-google
The accounts-google package is the login service that lets users of your app sign in with their Google account, using OAuth. It builds on top of accounts-base and the google-oauth package, registering Google as an available login service and exposing a client-side Meteor.loginWithGoogle helper.
Add it to your project with:
meteor add accounts-googleAdding the package automatically implies accounts-base and google-oauth, so the Accounts API and the underlying Google OAuth helpers become available as well.
Configuring the service
Before users can log in, you must register an OAuth application with Google and configure its credentials in your app. This is handled by the service-configuration package — see the OAuth Services Configuration guide for the full setup, including how to provide credentials through settings.json.
If you prefer a step-by-step UI, the accounts-ui package presents a guided configuration dialog. If you use accounts-ui but have not configured the service through service-configuration, the package prints a console notice suggesting you also add the matching configuration UI:
meteor add google-config-uiLogging in
On the client, the package adds the Meteor.loginWithGoogle function.
Meteor.loginWithGoogle(options, (error) => {
if (error) {
// handle the login failure
} else {
// successful login
}
});Meteor.loginWithGoogle([options], [callback])
optionsObject (optional) — options passed through to the underlying Google OAuth request.callbackFunction (optional) — called with a singleerrorargument on failure, or with no arguments on success. A callback may be passed as the first argument when nooptionsare needed.
Calling this function starts the OAuth flow with Google. Depending on the configured loginStyle ("popup" or "redirect", set in the service configuration), it either opens a pop-up window or redirects the page to Google's login page. Once the user authorizes the app, the Meteor client logs in to the server with the credentials returned by Google.
On Cordova, when Google Sign-In is available,
Meteor.loginWithGoogleuses Google's nativeGoogle.signInflow instead of a web pop-up. This is required because, after April 2017, Google OAuth login no longer works inside a WebView. See meteor/meteor#8253.
Requesting permissions
To request additional permissions (scopes) from the user, pass an array in options.requestPermissions:
Meteor.loginWithGoogle({
requestPermissions: ['profile', 'email'],
});When requestPermissions is not provided, accounts-google requests the profile scope by default. The user's accessToken is stored in the services.google field of their user document, so it can be used later to call the Google API on their behalf. The set of supported scope values is defined by Google; see Google's OAuth scopes reference. For the generic Meteor.loginWith<ExternalService> behavior shared by all OAuth login services, see the Accounts API documentation.
Additional Google-specific options
Beyond requestPermissions, the following options are recognized and translated into Google login URL parameters:
requestOfflineTokenBoolean — whentrue, sets Google'saccess_typetoofflineso a refresh token is issued; whenfalse, sets it toonline.promptString — passed through as Google'spromptparameter (for example"consent"or"select_account"). As a backwards-compatible alternative,forceApprovalPrompt: truesetspromptto"consent".loginHintString — passed through as Google'slogin_hintparameter to pre-fill the account to use.loginUrlParametersObject — additional Google login URL parameters merged into the request.
These option-to-parameter mappings are implemented in google-oauth's client. See Google's authentication URI parameters for the full list.
Restricting account creation by email domain
If you call Accounts.config({ restrictCreationByEmailDomain: 'example.com' }) with a string domain, accounts-google automatically adds Google's hd login URL parameter so Google's account chooser is scoped to that hosted domain. Note that this only changes Google's UI — accounts-base still verifies the user's email address on the server.
Setting up the Google app
In the Google Cloud Console go to APIs & Services → Credentials and create an OAuth client ID of type Web application.
Copy the Client ID and Client Secret — these are the
clientIdandsecretyou configure below.Add your redirect URI under Authorized redirect URIs. Meteor handles the callback at:
text<your-root-url>/_oauth/googlee.g.
http://localhost:3000/_oauth/googlein development.
Note: The google-oauth package always includes the email scope in the request, even if you only ask for profile. It is required to obtain the user ID from Google.
Native Google Sign-In on Cordova
On Cordova, Meteor.loginWithGoogle uses the native Google.signIn flow (web OAuth no longer works inside a WebView). To make it work you additionally need:
- a separate OAuth client of type Android and/or iOS in the Google Cloud Console (distinct from the Web
clientIdabove), and - the matching reversed client ID configured for the build (the
google-oauthpackage pulls in the Cordova Google Sign-In plugin).
Consult the current Google Sign-In Cordova plugin documentation for the exact per-platform values.
A complete example
1. Configure the OAuth credentials on the server (for example in server/main.js). Google uses clientId/secret:
import { ServiceConfiguration } from 'meteor/service-configuration';
await ServiceConfiguration.configurations.upsertAsync(
{ service: 'google' },
{
$set: {
loginStyle: 'popup', // or 'redirect' (use 'redirect' for mobile/Cordova)
clientId: 'YOUR_CLIENT_ID',
secret: 'YOUR_CLIENT_SECRET',
},
},
);See OAuth Services Configuration for the settings.json alternative and where to obtain these credentials.
2. Trigger the login. With Blaze you can drop in the ready-made widget from accounts-ui:
Or call the login function directly from your own button — this works with React, Vue, Svelte, plain JS, etc.:
function signIn() {
Meteor.loginWithGoogle(
{ requestPermissions: ['profile', 'email'] },
(error) => {
if (error) {
// The user closing the popup rejects with Accounts.LoginCancelledError.
console.error(error);
}
},
);
}3. Read the signed-in user. After a successful login the profile and token live under services.google:
const user = Meteor.user(); // reactive on the client
// user.services.google.id, user.services.google.accessToken, ...4. Log out:
Meteor.logout();Server behavior
On the server, accounts-google registers the google OAuth service and, when the autopublish package is enabled, publishes the following fields of the Google service data:
- For the logged-in user: Google's whitelisted profile fields plus
accessTokenandexpiresAt(the refresh token is not published). - For other users: the whitelisted profile fields excluding
emailandverified_email.
The whitelisted fields are defined by google-oauth and include id, email, verified_email, name, given_name, family_name, picture, locale, timezone, and gender.
See also
- Accounts API — the core
AccountsandMeteor.loginWith<ExternalService>APIs. - OAuth Services Configuration — configuring OAuth credentials.
- accounts-ui — drop-in login UI with a configuration wizard.

