Reputation: 665
Do I have to verify google tokenID on every request?
I am implementing a sign in with google feature for a website. I have managed to log the user in with the Google Javascript API. It it stated by google that once we get the tokenID, we have to verify it in the backend server, in order to verify that the current signed in user is valid.
https://developers.google.com/identity/sign-in/web/backend-auth
I have managed to implement the server side verification, the doubt that I have is that do I have to verify the tokenID in the back end for every request by user ?, or should I validate it for every action by the user ?or is there an another approach to this ?
Can some one point me in the correct path ? Thanks
Upvotes: 3
Views: 453
Answers (1)
Reputation: 2234
Unless the server creates sessions, you don't need to send or verify id_token. If you do need sessions, do send id_token to server and verify. For example, when you want to personalize a user and save his/her data on a server, please send and verify id_token.
Verifying id_token is needed only once when the session is created. id_token is a proof that Google has authenticated the user which you can trust as long as properly verified. Once session expires, you should verify id_token again since id_token has expiration date/time.
Upvotes: 4
Related Questions
- Does JavaScript have a method like "range()" to generate a range within the supplied bounds?
- Why does Google prepend while(1); to their JSON responses?
- JavaScript post request like a form submit
- How to manage a redirect request after a jQuery Ajax call
- Android: What is transport and jsonFactory in GoogleIdTokenVerifier.Builder?
- Is it possible to use Google Sign-in without Javascript?
- validate Google ID against a .net backend server
- Google APIs for Web sign in and query user data