I'm integrating google signin2 into my website and I have been following the reference and this instruction.
I'm new to OAuth2 and am trying to figure out which steps of the authorization code flow is this google api following?
The response returned by google contains a id_token and a access_token, along with other info about the google user. Am I right the id_token is the authorization code specified by the standard? What is the role of access_token here?
+----------+
| Resource |
| Owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)-- & Redirection URI ---->| |
| User- | | Authorization |
| Agent -+----(B)-- User authenticates --->| Server |
| | | |
| -+----(C)-- Authorization Code ---<| |
+-|----|---+ +---------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+---------+ | |
| |>---(D)-- Authorization Code ---------' |
| Client | & Redirection URI |
| | |
| |<---(E)----- Access Token -------------------'
+---------+ (w/ Optional Refresh Token)
According to the standard my app should request a access_token from google with authronization_code. But the backend-auth instruction doesn't say anything about requesting a access_token, just verifying id_token either in your app or via another google service. Is gsignin-2 not authorization code flow at all(implicit)?
If my app just need google signin so user don't have to register their own email+password, ie. I'm not requesting any resources from google outside the browser, which flow should I choose?
The flow I'm following so far is the Implicit grant flow, actually the access_token returned by google is empty.
On the server side I have to verify id_token each time, using the javascript version of google-client-api. Since I have to deal with the hustle of verifying id_token for each request on the server, I'm think maybe I should use the authronization code flow instead.