I'm writing an Android app for voice chatting and decided to use Google Sign-In for a simple user authentication with my backend server. However, I don't understand how the app should authenticate with my backend. When a user signs-in using his Google account and I receive the ID token, I can send the ID token to the server, then the server verifies it. And what's then? How to authenticate following requests, for example when the user sends/receives a voice message and the app needs to upload/download the message to/from the server? Server needs to know which user is making the request, but the ID token is inappropriate because it expires soon and its integrity verification is a complex and relatively long process.
Google Sign-in API: Following steps are involved:
{u'picture': u'https://lh3.googleusercontent.com/-RD4yn7rqIc8/AAAAAAAAAAI/AAAAAAAALQI/9Ab_kR3_CII/s96-c/photo.jpg', u'sub': u'10270538098780639-55', u'family_name': u'Dusad', u'iss': u'https://accounts.google.com', u'email_verified': True, u'name': u'Utsav Dusad', u'at_hash': u'BMjN0mWeOMqVVBhjW_W9A', u'given_name': u'Utsav', u'exp': 1484582338, u'azp': u'85959433390-npk1ss7juimjqt5hrlhm7v2fj2u7593f.apps.googleusercontent.com', u'iat': 1484578738, u'locale': u'en-GB', u'email': u'[email protected]', u'aud': u'85959433390-npk1ss7juimjqt5hrlhm7v2fj2u7593f.apps.googleusercontent.com'}
sub: Subject. userID. Don't use email id as primarykey as it may change. use userID.
An identifier for the user, unique among all Google accounts and never reused. A Google account can have multiple emails at different points in time, but the sub value is never changed. Use sub within your application as the unique-identifier key for the user.
For detailed information see here: