I'm yet again startin a side project in which I want to include logging in with Google. I discovered the new recommended flow with GIS, OneTap, and FedCM. I want to use this exclusively for now with a focus on FedCM.
For short, my code in the browser is only:
window.onload = function () {
google.accounts.id.initialize({
client_id: 'myappclientid.apps.googleusercontent.com',
callback: (identityCredentials) => {
console.log("callback!!", identityCredentials)
}
});
In which everything works well, identityCredentials being a valid JWT token for 3600 seconds.
I am not asking an advanced question, since this is very new to me, I do not know yet what the state of the art authentication practices are.
I want to acquire a refresh token, or any token that would allow me to keep the end-user logged in across an extended period of time. My application uses Google for authentication only, it does not use any other Google services.
What would be the practical use for this identityCredential? Put it in localStorage? In a cookie? Send it to verify to my RP backend and return with another token?
Client side, is it as safe as a HttpOnly cookie? Can you resume a sesison (and/or indicate to the User Agent that the user is logged in)? How do you log a user out (like in the previous Google client lib)?
Backend side, is there a backend Google library I should you to authenticate my user?
This is a simple question, however since this concept seems relatively new, I am sure other people with the same questions will follow.
I would appreciate brief pseudo-code and concept explanation answers. Thank you.
I'm just learning/evaluating FedCM also since Google suggests it for any new web app.
3600 sec = 1 hour. That seems long enough for any web authentication session that I can think of. So my question to you is why are you trying to keep the user logged in?
You said "any token that would allow me to keep the end-user logged in across an extended period of time". I say that login is so seamless and unobtrusive with FedCM that there's no reason to keep the user logged in.
As for "keeping identityCredentials", I assume that this user is now a known user in your app and that you setup that user (if new) or lookup that user (if returning) on your backend including some or all of the info in the identityCredentials struct. Yes? I don't see the sense in keeping it in a cookie or local storage.
Perhaps you can elaborate on your scenario. From my point of view, FedCM allows me to authenticate a user and get info about that user, and avoids me having to implement authentication in my web app.