Which Google OAuth2.0 token do I use to uniquely identify a user and log them in

Question

I'm trying to set up Google OAuth2.0 from this guide and I have everything set up and running. I can get the authorization code, the access_token, and the refresh_token to show up in my console.log's. My question is which one of these tokens can I use to properly identify and log in a user to my backend?

In a normal scenario, a user would enter a username & password and that would uniquely identify them. However in the Google OAuth2.0 case, it seems the authorization code, the access_token, and the refresh_token all cannot be used to properly identify and log someone in. Is this understanding correct?

I read a similar post but it doesn't seem to provide a very recent answer that also securely identifies the logged in user.

If I cannot use any of the above mentioned tokens to securely identify and log in a user, is it even possible? How come I see other websites and apps use "sign in with Google" and "sign in with Facebook"?

Another solution I read in a different StackOverflow post said to just get the account ID and use that as an identifier. Isn't that insecure? Can't someone guess the account ID? Also this would be assuming these account IDs are private.

Answer 1

My question is which one of these tokens can I use to properly identify and log in a user to my backend?

the id token from open id connect.

explanation

You are confusing authorization and authentication.

Oauth2 a user to grant and authorize your application access to their data the access token gives you access to their data for a limited time (1 hour). If the user is off line you can use the refresh token to request a new access token. None of theses will tell you that a user is behind the calls.

open id connect allows you to authenticate a user logging in will return an id token

Id token verification

After you receive the ID token by HTTPS POST, you must verify the integrity of the token. Verify the integrity of the ID token