Google oauth 2.0 - do i need refresh token?

Question

On my webpage i have simple login system (PHP). You provide mail and password, system create _SESSION and you are logged.

I want to add option for login with google oAuth 2.0.

I created index.php file:

require_once("vendor/autoload.php");
$client = new Google_Client();
$client->addScope(array('https://www.googleapis.com/auth/userinfo.email','https://www.googleapis.com/auth/userinfo.profile'));
$redirect_uri = '/login.php';
$client->setRedirectUri($redirect_uri);

<a href="<?=$client->createAuthUrl()?>">LOGIN WITH GOOGLE</a>

User will click on link, after choose a google account he is redirected to:

login.php file:

if(isset($_GET['code'])) {
    try {
        $token = $client->fetchAccessTokenWithAuthCode($_GET['code']);
    }catch (Exception $e){
        //redirect to login.php - invalid login
        exit();
    }

    try {
        $pay_load = $client->verifyIdToken();
    }catch (Exception $e) {
        //redirect to login.php - invalid login
        exit();
    }
    //NOW I KNOW USER IS VALID,
    //create my own _SESSION and redirect to index.php as logged user (i will use mail and name of user from google). 
    // i am managing _SESSION so if user logOut i will just destroy session, or will be destroyed after few minutes of inactivity
}

Is this approach good?

Do i need use

setAccessToken($token);
verifyIdToken();

Thank you for answer.

Answer 1

I think you are miss understanding the difference between Authorization and authentication .

Oauth2 grants you authorization to access a users data is denoted by an access token and a refresh token. Refresh tokens allow you to access a users data when the user is offline by requesting a new access token. Using Oauth2 does not garentee that there is a user behind the calls being made.

OpenId connect Authenticates is a user logging in and authenticating using a login and password or google login that this is the user. This is denoted by an Id token. There will always be the actual user behind a login to open id connect.

On my webpage i have simple login system (PHP). You provide mail and password, system create _SESSION and you are logged.

If you are working with a login system then you should be using openid connect which does not really need a refresh token to access the user data when the user is offline. The user will always be present in a login system.

Answer 2

If the main question here is, "will I need the refresh token?" the answer to that is... the access token will expire. Once it expires you will have two options:

1. Put the user through the login process again.
2. Use the refresh token to get a new access token.

The sole purpose of refresh tokens is to obtain fresh access tokens after expiry, without having to redirect a user to google and back again. If you don't mind doing that, or if you only need access to their accounts for a short time, you will not really need to use the refresh token.