2

I'm using the new Google Identity Services to login a user to my web app, calling google.accounts.id.initialize().

I then send that id_token as credentials to the server on every request, which uses OAuth2Client.verifyIdToken() to verify the user's identity.

However, that id_token eventually expires and I'm not sure how to refresh the token on the client. Is that possible?

codedread
  • 1,312
  • 11
  • 18

1 Answers1

1

Rather than sending the ID token to the server on every request, I would suggest you send the ID token to your server only once (which is the first time you have tried to authenticate the particular user).

The first time you send the ID token to your server, use it to validate the ID token and then issue a JWT token back to your client. Your client can send this JWT to your server anytime authentication or authorization is required. That way, you can control when it expires and how to refresh it when it does.

This might be the best way to go about it because I'm not sure google returns a refresh token for regenerating an ID token and you also cannot control when the ID token expires.

Narhzih
  • 11
  • 3
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jul 22 '22 at 10:49