Open ievgennaida opened 1 year ago
I am using Google Identity Services lately for my App authentication and realized that the redirect ux flow requires the redirect url and POSTS the JWT token to it along with redirection. This primarily has the following pitfalls :
The proposed design of GIS is highly flawed as the flow should have been to return the JWT token to the front end instead and let the Frontend App communicate with it's backend. Google, We do not need to you take our share of overhead. Please make amends to the design architecture until there are serious security reasons to have gone Southwards to the current implementation of GIS. It is only increasing the overhead of the developers.
@ievgennaida
For authentication only case, you can consider using Sign in With Google button or One Tap. They are part of the Google Identity Services. They should streamline your migration approach especially your app is only getting profile info.
Also, you may want to review Migrating from Google Sign-In, which is the guide specific on authentication.
For your question on keeping your user signed in, please check out the Automatic sign-in and sign-out feature.
I would appreciate an advice on the best migration approach to the new Google Identity Services library.
Google Identity Services Examples provided are assuming that backend is calling google APIs. Also there is a proposal to store access token and refresh tokens on the backend side when frontend is sending code. It's sounds like much efforts for the simple use case above.
There are multiple questions on this?
I a case of code flow is used (as recommended) do I really need to store access token and refresh token on a backend and make my stateless service statefull? By some examples access token and refresh token are still returned to the frontend, what is the purpose not requesting them directly from google on the frontend using implicit flow? How to use the refresh token to request a new access token and keep user sign in when no google endpoints are called?
For the implicit flow I have found an article From the doc: https://developers.google.com/identity/oauth2/web/guides/use-token-model
By design, access tokens have a short lifetime. If the access token expires prior to the end of the user's session, obtain a new token by calling requestAccessToken() from a user-driven event such as a button press.
But calling this method is showing popup again, so not fully clear whether it's possible to silently continue a session when user is continue using frontend application. What is the workflow to keep user signed in when activity is performed?Thank you in advance!