Google Sign In

Mushu provides Google Sign In authentication for iOS, Android, and web applications. Users authenticate with their Google account and receive JWT tokens for API access.

What This Is

Google Sign In lets users authenticate with their Google account. Mushu handles token validation and session management, so you get simple JWTs to use in your app.

When to Use

• You're building an Android app and want native Google authentication
• You want to offer Google as a sign-in option alongside Apple
• You need web authentication via Google One Tap or OAuth redirect
• You want unified identity across iOS, Android, and web

Supported Flows

Flow	Platform	How It Works
Native (auth code)	iOS, Android	Google SDK returns serverAuthCode, server exchanges for tokens
One Tap (id_token)	Web	Google Identity Services returns id_token directly via JavaScript
OAuth redirect (code)	Web	Standard OAuth 2.0 redirect flow with authorization code

Setup

1. Google Cloud Console

1. Go to the Google Cloud Console
2. Create an OAuth 2.0 Client ID (type: Web application)
3. Note your Client ID and Client Secret
4. Add authorized redirect URIs (Mushu provides the callback URL)

2. Configure in Mushu

Register your Google credentials with the Auth Providers API:

curl -X POST https://auth.mushucorp.com/apps/YOUR_APP_ID/auth-providers \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "provider_type": "google",
    "enabled": true,
    "google_client_id": "YOUR_CLIENT_ID.apps.googleusercontent.com",
    "google_client_secret": "YOUR_CLIENT_SECRET"
  }'

Or configure via the Admin Dashboard under your tenant's auth provider settings.

Security: The client secret is encrypted and stored in AWS Secrets Manager, not in the database. Only the client ID is stored in DynamoDB.

Native Mobile Integration

Android

Use the Google Sign-In SDK to get a serverAuthCode, then exchange it with Mushu:

// After Google Sign-In completes
val authCode = account.serverAuthCode

// Exchange with Mushu
val response = mushuApi.post("/auth/google?app_id=YOUR_APP_ID", json {
    "authorization_code" to authCode
    "client_id" to "YOUR_GOOGLE_CLIENT_ID"
    "nonce" to generatedNonce
})

iOS

Use the Google Sign-In SDK for iOS:

import GoogleSignIn

GIDSignIn.sharedInstance.signIn(withPresenting: self) { result, error in
    guard let serverAuthCode = result?.serverAuthCode else { return }

    // Exchange with Mushu
    exchangeGoogleToken(authCode: serverAuthCode)
}

Token Exchange

Exchange the authorization code for Mushu session tokens:

POST /auth/google?app_id=YOUR_APP_ID
Content-Type: application/json

{
  "authorization_code": "SERVER_AUTH_CODE",
  "client_id": "YOUR_GOOGLE_CLIENT_ID",
  "nonce": "RANDOM_NONCE"
}

Web One Tap Integration

Google One Tap returns an id_token directly via JavaScript callback. Send it to Mushu without a code exchange step:

google.accounts.id.initialize({
  client_id: 'YOUR_GOOGLE_CLIENT_ID',
  callback: handleCredentialResponse,
  nonce: generatedNonce
});

function handleCredentialResponse(response) {
  fetch('/auth/google?app_id=YOUR_APP_ID', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
      id_token: response.credential,
      client_id: 'YOUR_GOOGLE_CLIENT_ID',
      nonce: generatedNonce
    })
  });
}

Web OAuth Redirect Flow

For server-side web apps, use the standard OAuth redirect flow:

https://auth.mushucorp.com/auth/google/authorize?redirect_uri=YOUR_CALLBACK_URL&app_id=YOUR_APP_ID

After authentication, Google redirects to Mushu's callback, which redirects to your app with tokens:

YOUR_CALLBACK_URL#access_token=xxx&refresh_token=yyy

Response Format

All flows return the same response:

{
  "user": {
    "user_id": "google-user-sub",
    "user_type": "google",
    "email": "user@gmail.com",
    "email_verified": true,
    "name": "User Name"
  },
  "tokens": {
    "access_token": "...",
    "refresh_token": "..."
  }
}

RISC Notifications

Google RISC (Cross-Account Protection) sends notifications when a user's Google account changes state. Mushu handles these at POST /auth/google/notifications.

Event Types

Event	What Happens
account-disabled	Google account disabled. User marked deleted, tokens invalidated.
account-purged	Google account deleted. User marked deleted, tokens invalidated.
sessions-revoked	User revoked all sessions. User marked revoked.
tokens-revoked	User revoked app tokens. User marked revoked.

RISC Configuration

To receive RISC notifications, configure the receiver URL in your Google Cloud Console:

1. Go to APIs & Services → Credentials
2. Select your OAuth client
3. Under RISC configuration, set the receiver URL to:

   https://auth.mushucorp.com/auth/google/notifications?app_id=YOUR_APP_ID

Differences from Apple Sign In

Aspect	Apple	Google
Platform fallback	Uses Mushu's shared credentials if not configured	Must configure your own credentials (no shared option)
Native SDK returns	id_token + authorization_code	serverAuthCode only
Web callback	POST (form_post)	GET (query params)
One Tap	N/A	Returns id_token directly

FAQ

What user data does Mushu store?

Mushu stores the user ID (from Google), email, name, and profile picture URL. Google provides the hd (hosted domain) claim for Workspace accounts, which is also stored.

Can I use Google Sign In without Apple?

Yes. Each provider is independent. However, note that Apple requires apps offering third-party login on iOS to also offer Apple Sign In.

Can users link Apple and Google accounts?

Account linking via shared email is planned. Currently, Apple and Google sign-ins create separate user records.

Pricing

• Login: $0.005 per authentication
• Token refresh: Free
• Session management: Free

See Pricing for full details.