I am working on integrating Google Apps into my PHP application. I already have a login system that assigns a session identifier to the user (after entering the user name and password), which is stored in the database when the user logs in. The session identifier becomes invalid after a certain period of inactivity (user-configurable, may be 5 minutes, 15, 60 ...). This session ID is passed in the URL to check if the user has yet to be logged in. When you log out, the session identifier is deleted from the database.
I allow users to register with Google by storing their Google ID in the database when they log in, I request an access token, request userinfo, check if the google ID is in the database, and if so, assign a session ID to this user. Since I want to be able to request another API, I also store the json access token in the database. When a user logs out, the access token is also deleted from the database.
This works, my users can log in using their Google account, and I can request the API using the saved access_token, however some things seem awkward to make me feel insecure about my workflow:
If you force_approval you get a refresh_token, it seems to me that I should use this update token to get a new access token, instead of deleting the old one from the database and entering a new one when the user logs in again. On the other hand, when I log in, I don’t know who else it is, so I don’t know which update token to use. Perhaps I do not understand why the update token is needed. In addition, I do not want each statement to be forced, so I cannot even use refresh_token in this case.
As already mentioned, users can determine how long their session lasts, however google access_token always expires after 3600 seconds. It would be really stupid if users worked for an hour on the system, and after that the Google API suddenly crashed, forcing them to log in again. On the Google OAuth playground, the checkbox "Auto-renew the token before it expires" is displayed, but I don’t see how to do it. Should I use update token here? Or just request a new token in the background (if I did not get approval)?
userinfo (https://www.googleapis.com/oauth2/v2/userinfo), , tokeninfo (https://www.googleapis.com/oauth2/v1/tokeninfo). Tokeninfo oauth, , ( ). ?
json (access_token, id_token, expires_in token_type), , , access_token ( , , expires_in ). id_token, ?
, Google ( developers.google.com) , - - , .