diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index 443cd8be33e..c1b468c272a 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -2006,6 +2006,7 @@ en:
     google_oauth2_hd_groups: "Retrieve users' Google groups on the hosted domain on authentication. Retrieved Google groups can be used to grant automatic Discourse group membership (see group settings). For more information see https://meta.discourse.org/t/226850"
     google_oauth2_hd_groups_service_account_admin_email: "An email address belonging to a Google Workspace administrator account. Will be used with the service account credentials to fetch group information."
     google_oauth2_hd_groups_service_account_json: "JSON formatted key information for the Service Account. Will be used to fetch group information."
+    google_oauth2_verbose_logging: "Log verbose Google OAuth2 related diagnostics to <a href='%{base_path}/logs' target='_blank'>/logs</a>"
 
     enable_twitter_logins: "Enable Twitter authentication, requires twitter_consumer_key and twitter_consumer_secret. See <a href='https://meta.discourse.org/t/13395' target='_blank'>Configuring Twitter login (and rich embeds) for Discourse</a>."
     twitter_consumer_key: "Consumer key for Twitter authentication, registered at <a href='https://developer.twitter.com/apps' target='_blank'>https://developer.twitter.com/apps</a>"
diff --git a/config/site_settings.yml b/config/site_settings.yml
index a840d6d5866..0c6abed86b4 100644
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@@ -494,6 +494,8 @@ login:
   google_oauth2_hd_groups_service_account_json:
     default: ""
     textarea: true
+  google_oauth2_verbose_logging:
+    default: false
   enable_twitter_logins:
     default: false
   twitter_consumer_key:
diff --git a/lib/auth/google_oauth2_authenticator.rb b/lib/auth/google_oauth2_authenticator.rb
index ac331cd3d84..e5f32502031 100644
--- a/lib/auth/google_oauth2_authenticator.rb
+++ b/lib/auth/google_oauth2_authenticator.rb
@@ -24,23 +24,31 @@ class Auth::GoogleOAuth2Authenticator < Auth::ManagedAuthenticator
     options = {
       setup:
         lambda do |env|
-          strategy = env["omniauth.strategy"]
-          strategy.options[:client_id] = SiteSetting.google_oauth2_client_id
-          strategy.options[:client_secret] = SiteSetting.google_oauth2_client_secret
+          opts = env["omniauth.strategy"].options
+          opts[:client_id] = SiteSetting.google_oauth2_client_id
+          opts[:client_secret] = SiteSetting.google_oauth2_client_secret
 
           if (google_oauth2_hd = SiteSetting.google_oauth2_hd).present?
-            strategy.options[:hd] = google_oauth2_hd
+            opts[:hd] = google_oauth2_hd
           end
 
           if (google_oauth2_prompt = SiteSetting.google_oauth2_prompt).present?
-            strategy.options[:prompt] = google_oauth2_prompt.gsub("|", " ")
+            opts[:prompt] = google_oauth2_prompt.gsub("|", " ")
+          end
+          opts[:client_options][:connection_build] = lambda do |builder|
+            if SiteSetting.google_oauth2_verbose_logging
+              builder.response :logger,
+                               Rails.logger,
+                               { bodies: true, formatter: Auth::OauthFaradayFormatter }
+            end
+            builder.request :url_encoded
+            builder.adapter FinalDestination::FaradayAdapter
           end
-
           # All the data we need for the `info` and `credentials` auth hash
           # are obtained via the user info API, not the JWT. Using and verifying
           # the JWT can fail due to clock skew, so let's skip it completely.
           # https://github.com/zquestz/omniauth-google-oauth2/pull/392
-          strategy.options[:skip_jwt] = true
+          opts[:skip_jwt] = true
         end,
     }
     omniauth.provider :google_oauth2, options