[Question] How to migrate Google Identity Services library. Code flow vs Implicit flow and refresh tokens.

[ievgennaida]

I would appreciate an advice on the best migration approach to the new Google Identity Services library.

1. App is not calling any google services except to get profile info (only authentication).
2. Backend is stateless REST APIs (multiple endpoints) that is checking whether proper frontend access token is provided: (python verify_oauth2_token)

Google Identity Services Examples provided are assuming that backend is calling google APIs. Also there is a proposal to store access token and refresh tokens on the backend side when frontend is sending code. It's sounds like much efforts for the simple use case above.

There are multiple questions on this?

1. I a case of code flow is used (as recommended) do I really need to store access token and refresh token on a backend and make my stateless service statefull? By some examples access token and refresh token are still returned to the frontend, what is the purpose not requesting them directly from google on the frontend using implicit flow? How to use the refresh token to request a new access token and keep user sign in when no google endpoints are called?

2. For the implicit flow I have found an article From the doc: https://developers.google.com/identity/oauth2/web/guides/use-token-model

By design, access tokens have a short lifetime. If the access token expires prior to the end of the user's session, obtain a new token by calling requestAccessToken() from a user-driven event such as a button press. But calling this method is showing popup again, so not fully clear whether it's possible to silently continue a session when user is continue using frontend application. What is the workflow to keep user signed in when activity is performed?

Thank you in advance!

[akshg05]

I am using Google Identity Services lately for my App authentication and realized that the redirect ux flow requires the redirect url and POSTS the JWT token to it along with redirection. This primarily has the following pitfalls :

1. It is assumed that the frontend and backend are hosted on the same domains which could be very likely not.
2. Posting to the backend making no sense and it leaves no room for the Frontend to receive communication of the successful authentication ie. verification of the token in the backend.(Backends being stateless here and intended to keep that way)

The proposed design of GIS is highly flawed as the flow should have been to return the JWT token to the front end instead and let the Frontend App communicate with it's backend. Google, We do not need to you take our share of overhead. Please make amends to the design architecture until there are serious security reasons to have gone Southwards to the current implementation of GIS. It is only increasing the overhead of the developers.

[hermz365]

@ievgennaida

For authentication only case, you can consider using Sign in With Google button or One Tap. They are part of the Google Identity Services. They should streamline your migration approach especially your app is only getting profile info.

Also, you may want to review Migrating from Google Sign-In, which is the guide specific on authentication.

For your question on keeping your user signed in, please check out the Automatic sign-in and sign-out feature.