I am integrating Google’s login Apis on a website, and I need to place the user’s details in our databases to use it the next time they login.
Googles developer documents clearly out lines that developers should never store user IDs in a database, instead you should use Token IDs generated by google to auth the legitimacy of the user.
I completely agree with this, but a token’s live cycle is only a short period of time. If we insert the token in our databases, the next time the user logs in, they token will be different to that in our database. So how do we auth users via token id with google sign in?
I’ve read all of googles developer docs https://developers.google.com/identity/sign-in/web/backend-auth and theres nothing specifically explaining this, other than their process of authentication.
Could someone please help who may have had experience in this ?
This is googles warning
Warning: Do not accept plain user IDs, such as those you can get with
the GoogleSignInAccount.getId() method, on your backend server. A
modified client application can send arbitrary user IDs to your server
to impersonate users, so you must instead use verifiable ID tokens to
securely get the user IDs of signed-in users on the server side.
Googles developer documents clearly out lines that developers should never store user IDs in a database
No, they don’t.
They are telling you that your server should not trust user ids send to it directly by the client – because anyone could easily fake those.
Instead, you are supposed to send the token, that you acquired on the client side, to the server (those tokens can’t be “guessed”, therefor you can not simply fake them) – and then you make a server-side API call using that token, to get the user id.