1

I am successfully creating and using a JSON Web Token based on the documentation available at https://developers.google.com/identity/gsi/web/guides/overview.

<html>
    <head>
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
    </head>
    <body>
        <script src="https://accounts.google.com/gsi/client" async defer></script>
        <div id="g_id_onload"
            data-client_id="myclientid"
            data-login_uri="mysiteurl"
            data-auto_select="true">
        </div>
        <div class="g_id_signin"
            data-type="filled_blue"
            data-size="large"
            data-theme="outline"
            data-text="sign_in_with"
            data-shape="pill"
            data-logo_alignment="left">
        </div>
    </body>
</html>

For each call from the web client to a cloud function, I am using this Go code to confirm the token is still valid:

"google.golang.org/api/idtoken"
 func ListItems(w http.ResponseWriter, r *http.Request) {
    var googleClientId = os.Getenv("GOOGLE_CLIENTID")
    r.ParseForm()                 
    token := r.Form.Get("credential") 
    payload, err := idtoken.Validate(context.Background(), token, googleClientId)

However, the id token expires after 1 hour (3600 seconds) and there seems to be no way to create it with a longer duration.

I want the user authentication to have a duration of 8 hours. What is the best way to continue the session for the user without making them authenticate again?

Note: This documentation (https://cloud.google.com/docs/authentication/token-types#refresh) states "When your application first authenticates, it receives an access token or ID token, as well as a refresh token". Does the GSI approach actually generate a refresh token? If so, how do I get the refresh token in the cloud function?

Tom Scheifler
  • 69
  • 5
  • I believe Google hasn't done a good job documentating the workflow for refreshing tokens since this issue still exists: https://github.com/google/google-api-javascript-client/issues/645. – Mit94 May 29 '23 at 14:47
  • Have you also checked this documentation on [access token lifetime](https://cloud.google.com/docs/authentication/token-types#at-lifetime) wherein you can generate an access token for a service account with a lifetime of up to 12 hours? – Robert G May 29 '23 at 17:45
  • The refresh token is provided to the authorization redirect URL when `offline` access is requested. Your post does not show the code you are using to authenticate users or generate a JSON web token. – John Hanley May 29 '23 at 18:14
  • @JohnHanely Code added to authenticate users and generate the JWT. – Tom Scheifler May 30 '23 at 15:17
  • @RobertG Thanks, yes. That documentation seems to be separate from the GIS feature. It seems I would have to replace the GIS approach I have working with the Oauth2 approach. I'd rather not but will if I must. – Tom Scheifler May 30 '23 at 15:23
  • @TomScheifler, you may also check this [SO link](https://stackoverflow.com/questions/72418822/google-identity-services-how-to-refresh-access-token-for-google-api-after-one) as this may be related to your question. – Robert G May 30 '23 at 16:55
  • If you are performing user auth in the browser, the token will expire in 3,600 seconds. It is up to your code to keep track of token expiration and reauthenticate the user. If you want to use Refresh tokens to extend authorization time, then you must implement authorization in your backend (three-legged OAuth). – John Hanley May 30 '23 at 17:24

0 Answers0