Menu
I have a doubt on integrating Google+ sign-in button in website.
My question is, how long is google access token obtained in signinCallback valid? Is this expiry flexible? Can I use it multiple times to pull out user information from google before expiry?
My another question is, how should I maintain session during sign-in? I have already thought of following ways,
Is there another right and more secure way? Note that My website is simplistic HTML 4.0 website which performs almost every operation on server-side. There is almost no Javascript and user i/o is performed by forms. So server-side techniques are more appreciated :)
800
The OAuth authorization processGoogle asks the user to grant you access to the required data. Your application gets an authorized request token from the authorization server. You exchange the authorized request token for an access token. You use the access token to request data from Google's service access servers.
After you have signed in a user with Google using the default scopes, you can access the user's Google ID, name, profile URL, and email address.
how long is google access token obtained in signinCallback valid?
3600 seconds (1 hour)
Is this expiry flexible?
No. The access token will always expire after an hour. However, you can use a refresh token to replace the expired access token with a fresh token. To do this, you must request offline access on the sign-in button, send the one-time authorization code to your server, and exchange the auth code for an access token and refresh token.
Can I use it multiple times to pull out user information from google before expiry?
Unless the user disconnects from your app, you will be able to get fresh access tokens and make your API calls.
how should I maintain session during sign-in?
Use your own site's session to maintain user state for your site. It sounds like you already have sessions working on your site, if the session is present and contains whatever authorization keys are required for your site, the user should be authorized.
Use google access token as session key:
Please don't do this, you need to protect your user's access tokens. One thing you can do that is marginally safer is to pass the access token from the sign-in callback and then verify it corresponds to the session-cached user on your server.
Here's really what you should be doing. Use the sign-in button callback to determine that the user is not signed in and invalidate any sessions when they are not. Pass an ID token or one-time authorization code from the callback to your server to authenticate your user. The following code shows your average sign-in callback with the error conditions called out:
function onSignInCallback(authResult) {
if (authResult['access_token']) {
// User is signed in.
} else if (authResult['error']) {
// There was an error, which means the user is not signed in.
// As an example, you can handle by writing to the console:
console.log('not signed in, invalidating session');
}
console.log('authResult', authResult);
}
As you're aware, the authResult object contains members access_token and id_token. Sending these tokens to the OAuth.v2.verifytoken endpoint will check the token certificate is valid and the token has not expired. Verifytoken will also return to you a unique identifier for the user that you can use to verify that the user is not using the incorrect session.
The Google+ PHP Quickstart shows you how to send the authorization code to your server, accept and exchange the code, verify the token, and so on in PHP.
So, again, what you should be doing is:
87
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
