Skip to main content

Google Authentication

Google Authentications allows users to log in to your application using their Google profile.

By default, Medplum automatically syncs user profile data with each user login, thereby ensuring that changes made in the connection source are automatically updated in Medplum. Optionally, you can disable user profile data synchronization to allow for updating profile attributes from your application.

Prerequisites

Before you begin:

Configure your OAuth consent screen and create credentials in the Google Developer Console.

While setting up your OAuth consent screen, use the following settings:

FieldValue to Provide
User TypeExternal
Application TypeSelect Public.
Authorized domainsmedplum.com

While setting up OAuth scopes, the minimum scopes required are:

  • "./docs/auth/userinfo.email"
  • "./docs/auth/userinfo.profile"
  • "openid"

If your application requests sensitive OAuth scopes or uses a custom image, Google will limit it to 100 logins until the OAuth consent screen is verified. Verification can take several days. To learn more about sensitive scopes, see Google's OAuth 2.0 Scopes for Google APIs documentation.

To pass verification you will need to prove ownership of all Authorized domains you specify on Google's OAuth consent screen. If you're using custom domains, use your custom domain instead of medplum.com.

Create Google credentials

Create Google OAuth Client Credentials using Google's Setting up OAuth 2.0 documentation.

While setting up your credentials, use the following settings:

FieldValue to Provide
Application typeWeb application
Authorized JavaScript originshttps://YOUR_DOMAIN
Authorized redirect URIshttps://YOUR_DOMAIN/login/callback

When you successfully create the OAuth client, you will receive a Client ID and Client Secret. Google will present you with the option to "Download JSON". Do this, and save the JSON file for next steps.

You can initiate a login attempt using the Medplum Client with the startGoogleLogin convenience method.

Add Google Client ID to your Project

Go to the sites section of your admin console to set up your domain.

Add Google Client ID to your SignInForm

If using the Medplum React Component library, add your Google Client ID:

<SignInForm onSuccess={() => navigate('/')} googleClientId={process.env.GOOGLE_CLIENT_ID}>
<Logo size={32} />
<h1>Sign in to Foo Medical</h1>
</SignInForm>

You may want to use environment variables. Check your build tool for instructions. For example, with Webpack:

<SignInForm onSuccess={() => navigate('/')} googleClientId={process.env.GOOGLE_CLIENT_ID}>
<Logo size={32} />
<h1>Sign in to Foo Medical</h1>
</SignInForm>

Update app deployment with auth keys

To add Google auth to a @medplum/app deployment, modify the corresponding configuration file:

{
// ...
"googleClientId": "<Google API key>",
"recaptchaSiteKey": "<ReCAPTCHA API key>"
}

Then, re-deploy the app using the CLI:

npx medplum aws update-app <environment>