I'm using google auth2.0 for a rest service (web single page app). I use it just for identifying and registering users.
My question is about best practice management of token and security.
After user registerd through googleAuth he can read and write some data, each time he reads/writes the client have to send the id_token and the server verifies (using google-auth-library) the timestamp before allowing any action.
Is this the correct way?
should I store the token in a database?
since the token is quite long (~1000 chars) is there a better way to authenticate each request without sending the whole token and verifying it server side?
thanks
i just want to evidence that I'm not using any google api services apart from identity service. all rest service are implemented in m backend server (nodejs) I just need to indentify the user each time he try to read or write resources of my app through my nodejs server. Can i use google access_token in some way??? or I have to verify each time google id_token?
