Reputation: 343
OpenID connect - DO I need to verify the token at google at any request the user is making to my server?
I have requested a an accesstoken at google and would like to implement express middleware that verifies the token at any request the users are making to my server. Should my server verify the token at google each time a user is making a request to my server? Or how should I go about verify the token?
Thanks
Upvotes: 1
Views: 739
Answers (2)
Reputation: 13067
Google has a good article regarding authentication with a backend. I welcome you to go through it and understand its suggestions.
According to this document, there are client libraries provided by Google to validate the ID Token. Also there is the option to use tokeninfo endpoint.
Once validated, you can create a cache or persist validated data for future usage. But this depends on the exact requirement.
If you can maintain a context per validated token, then you can create a session to on top of token validation. This session musts have validity correlated to token validity. But if such session is not possible then you will require a token validation per request (indeed costly but required by context of usage).
In case you maintain a session, you can create endpoint to listen to Google security events, which allows you to remove persisted data based on security threats. This is highlighted in authentication with a backend article and can access through this link
Upvotes: 2
Reputation: 8431
The token verification is standardized by the OAuth 2.0 Token Introspection RFC. It states:
The (introspection) response MAY be cached by the protected resource to improve performance and reduce load on the introspection endpoint, but at the cost of liveness of the information used by the protected resource to make authorization decisions. See Section 4 (of the RFC) for more information regarding the trade off when the response is cached.
So unless it's in Google's terms of use, you don't have to verify it on each request. In fact, the token could be revoked between the check and the end of your request. So if you use a cache with a sensible (rather short) lifetime, it could improve the performance with a little risk of accepting am already revoked token.
Upvotes: 3
Related Questions
- Google oauth 2.0 - do i need refresh token?
- Does StackOverflow use OpenID Connect for Google log in?
- Google OpenID Connect: How to verify id_token?
- Do All Google Oauth 2.0 Client need verification?
- Google OAuth2 - Correct Usage?
- Do I have to verify google tokenID on every request?
- Google API: Authenticating with oauth user id
- Google OpenID Connect for Authentication without using any Google APIs
- Does OAuth2 for Google's API need each user to be signed in Google?
- Is it safe to validate a Google Plus Oauth 2 access token sent from client to authenticate a user on server?