How do I get a refreshed id token using the new system (GIS)?
I have a web app that uses Google sign-in and sends an id_token to my servers to use some GCP services. I was using GAPI signin2/auth2 in the following way:
gapi.client.init(API_KEY, OAUTH_CLIENT_ID, SCOPES), SCOPES just has userinfo.email and profile- get currentUser by
gapi.auth2.getAuthInstance().currentUser.get()(if the user wasn't signed in, then render a sign-in button) - if
currentUser.hasGrantedScopes(SCOPES):- then
gapi.client.getToken()which would give me an{ id_token, access_token }
- then
- I would then send the id_token to my servers to ensure the user has logged in and get their Google user id
On my NodeJS server, I would use OAuth2Client from google-auth-library:
create a new OAuth2Client instance using
new OAuth2Client(OAUTH_CLIENT_ID)when the client sends a request, extract the id_token from the credentials and call:
oauthClient.verifyIdToken({ idToken: idToken, audience: OAUTH_CLIENT_ID, })
calling getPayload() on this result would give me the user's Google id which I could then use to store data keyed by it, etc.
when the server would find the id_token has expired, it would error as a result of verifyIdToken().
The client would catch the token expiry errors and issue a refresh by doing this:
authInstance.currentUser.get().reloadAuthResponse()- the response would have the new credentials ({id_token, access_token})
- the client would re-issue the request to the server with the new creds
====
Ok, now Google has said they are deprecating signin2 for their new library (Google Identity Services) and said we should all migrate to it.
I've figured out how to do the client-side sign in and it's much easier and less code to do it - great!
This was simply:
- call google.accounts.id.initialize({auto_select: true, client_id: CLIENT_ID, callback: creds => ....)
- call google.accounts.id.prompt()
- if prompt was never handled, in that callback, call google.accounts.id.renderButton()
What I can't figure out how to handle things on the server side. How do I get a refreshed id token using the new system (GIS)? The migration guide says that reloadAuthResponse() should be removed, since
An ID token has replaced OAuth2 access tokens and scopes.
But the fact is, the ID token still expires at some point, won't it?
What am I doing wrong? How should I migrate my server code to use new id_token to verify the user's identity and extract it? Should I stop using OAuth2Client on the server and use some other library?
