I wish to implement 'sign in with google' on my website. OpenId connect recommends using Google Sign-In, their sign-in client library. However on Google sign-in's page
https://developers.google.com/identity/sign-in/web/backend-auth
in the Section
"Calling the tokeninfo endpoint"
it is mentioned
"The easiest way to validate an ID token is to use the tokeninfo endpoint. Calling this endpoint involves an additional network request that does most of the validation for you, but introduces some latency and the potential for network errors. For these reasons, it is suitable only for deployments with fewer than 100 monthly active users, as well as for debugging and informational purposes."
The website I am working on expects 10,000+ monthly active users. So how can I implement a protocol to identify tokens from Google Sign in for my website.
As you've determined, token verification can be performed offline using client libraries for OAuth v2 or using a single API call to Google's servers. Because the offline clients are programming language-specific, you need to find a client/example for the particular language you're using. A few examples of token verification from the Google+ GitHub page:
Alternatively, you can use the tokeninfo endpoint through the client library or directly against the Google API endpoint, as demonstrated in the Google API Explorer here. A curl example using an ID token:
As mentioned in the documentation, the network call does introduce some latency and if you are verifying tokens on every request (e.g. using the ID token as a bearer token) then it's preferable to verify tokens offline using a library for your preferred language.