@mathiasconradt Avoiding the direct authentication is google’s requirement in this flow. From their perspective a correctly signed token is a valid reason for user session, which is sort of openid-connect -way. Unfortunately I cannot share full documentation and instructions on this.
Basically, direct authentication here is handled completely by google, and the website receives only an ID token (no access token) as a sign of a trusted user account.
It appears to be a similar flow to Google’s one-tap sign-up, and it looks like there was a workaround solution for this in Auth0 Integrating Google One-Tap sign-up/login with Auth0 - #9 by peter-auth0 . But it’s not exactly what’s needed here, since this workaround triggers authorization through google instead of creating the user directly.