AbstractAuthorizationCode Servlet & CallbackServlet - how to implement getUserId()?

Question

How to correctly implement abstract getUserId(request) method in these Google OAuth2 abstract servlets?

As code says, it is used to lookup and store google credential. I've seen example which returns session id, but that won't work correctly after session expiration:

1. User visits auth url, his access and refresh token are stored in storage under sessionId key
2. Within session lifetime, everythings works fine, so if this user visits auth url again, his stored tokens are found with the same sessionId key
3. But after session expiration (server restart etc) when this user visits auth url again, he gets new sessionId, no stored tokens are found, so new tokens (this time only access token) are requested and stored again under new sessionId key

So the question is - how to generate userId that will work in all cases? GoogleAppEngine implementation uses logged user, which is perfectly fine - but how do I generate such userId from just HttpRequest parameter?

BTW this (https://developers.google.com/gmail/api/auth/web-server) python implementation seems to generates parallel userinfo request to get user email manually...

Answer 1

First, make sure you need offline access to the user's credentials.

The reason all of these examples you cite use logged in user is because the user id is necessary to store the credentials against the correct user in the credential store. In those use cases, Google OAuth is used to authorize the web server to undertake some action in the user's Google account.

One idea for user id to create a long lived coookie (using secure random generator) and use that to identify the user, so you know who they are when the visit the site again, and can reuse the credential (if you asked for offline access). This is not very robust, as the user can clear their cookies, but there is no other way short of logging the user in.

(Yes, Google Oauth can be used to log in the user, but you are still looking at a sending the user to Google every time, so you really gain nothing by doing that).