Google Sign-In authentication
Question
I want to integrate Google Sign-In into my Android app, but there's a little bit of confusion. When I receive the ID token from GoogleSignInAccount , should I store it on the device and send it to the server with every request as an authentication token? Or is there some other preferred way, ie I send the ID token once, then generate some other authentication token on my server, send it to the device, store it on the device and use that as an authentication token. I'm asking because sending the ID token every time is expensive, because it's a pretty long string and its integrity verification on the server side is also time consuming.
1 answers
solution1
0 2017-01-10 06:16:24
You should not be sending the authentication token to the server. Why? Because the authentication token is short-lived and after a while the validation with Google will fail when the token expires. The problem is that Google doesn't give any documentation for a refresh token which can be used to regenerate the authentication token.
So suppose you are storing some token on server cache, Firebase Auth helps verify the token ID and regenerate using a refresh token under the hood. Plus on the client, you would now require to send the result from the FirebaseAuth.getInstance().getCurrentUser().getToken() task to your server. This token, or another token generated using this, can be safely cached.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.