As I only provide the access_token to the server, there are various issues:
~id_token not available to server -> no user id or name available -> can't use user id for file storage or other things, no persistence in DB~ solved
refresh_token not available to server -> access_token may expire for longer running requests
The only supported flow that doesn't require a client secret seems to be implicit. That means only the Web Editor can connect easily, all other clients will need client secret that users obtain from the Google API Console.
Is there a way to get id_token and refresh_token again with just the access_token?
Implements #82