I want to do something very similar to this tutorial, in which I'm getting the authCode from web client and sending that authCode to a Java BE app to get credentials of an user and then, using the credential to gain access to google sheet api to create a spreadsheet on user's drive.
According to google-api-java-client/oauth2 doc:
GoogleCredential takes care of automatically "refreshing" the token, which simply means getting a new access token.
Would I still be able to take advantage of the above statement, in which GoogleCredential automatically refreshes the token if I'm authenticating and asking for permission on the client web app - aka, I call the grant offline request on web app and then, getting the actual GoogleCredential in a Java BE app (using the authCode)? If so, how does that work? Why would others suggest to store the refreshToken in a db?
If I do decide to store in a db, would storing the refreshToken with the key as my app's unique identifier for a user be OK (instead of using the suggested sub identifier)? Is there a limit on the amount of time I can call the token to get a new accessToken per user? Even if an accessToken hasn't expired, is it better to just get a new accessToken for every new request (seems more secure)?
