Geek Answers Handbook

Why replace GITkit.idToken with a session token?

GitkitDemo on github says

Now use idToken to create a session for your user. To do this, you must exchange idToken for a session token or cookie from your server. Lastly, save your session token or cookie to support your user session.

In the sample code from the answer to the question Checking the OAuth2 token received on the Android device using the Google Identity Toolkit (GitkitClient) on a third-party backend (python custom backend, non-gae)? checking the backend server token for the token received via Android seems sufficient to ensure that there is a valid secure token that can be added to the headers of Android clients during any subsequent communication with the backend.

So why is there a recommendation you should exchange the idToken for either a Session Token or Cookie from your server ?

Is this related to idToken size (almost 1KB, IIRC)?

What are the recommendations (the easiest and safest way) to create such a session token?

Are there any other arguments against using idToken as a non-size session token?

Can a session token be the first part ("token") of idToken ( idToken.split(".")[0] in Python)? Or payload ( idToken.split(".")[1] )? Or perhaps creating an SHA1 idToken? EDIT: Well, I understand that using a JTW header would be stupid, but the payload has at least a couple of variables ( iat and exp and maybe also user_id ), but signature?

The token / cookie created by gitkit.js ("gtoken") is idToken itself, if it should be replaced by a token session?

+4
source share
1 answer

There are several reasons why it is recommended that you use your own session token / cookie:

1) Most existing web server frameworks have their own session management mechanism (cookie generation with expiration time, etc.). The general approach is to create a random string as a session identifier and map server-side user actions to the session identifier. The server then instructs the browser to set a session identifier cookie. There is no need, and sometimes it is very difficult to replace this mechanism.

2) As you already mentioned, IdToken is much more than regular session cookies.

3) Currently, the IdToken Google Identity Toolkit will expire in two weeks.

Beyond this consideration, IdToken is fairly secure as a session token. Make sure that you do not use any part of the IdToken as a session cookie, as attackers can easily create a fake file.

If your server issues its own session cookie, you must delete gtoken after the user session ends, so that the state of the login button in gitkit.js will be synchronized with your server.

+2
source

More articles:


All Articles