I'm reading the docs about google Oauth2 sign-in.
Here's the confusing part:
var profile = googleUser.getBasicProfile();
console.log("ID: " + profile.getId()); // Don't send this directly to your server!
console.log('Full Name: ' + profile.getName());
What's stored in profile.getId and what happens if I send it?
What is stored in id_token instead? I would like to have explanations instead of recommendations in comments.
// The ID token you need to pass to your backend:
var id_token = googleUser.getAuthResponse().id_token;
Bonus question: does Google return the same id_token every time I log in using same account?
The profile ID is a static string representing the user. If you use it by itself to sign the user in on your server and issue a cookie or session, then if an attacker learns the user's ID, they could forge a sign-in request to your server and impersonate the user, stealing their data or making transactions on their behalf.
On the other hand, the ID token is cryptographically-signed JSON Web Token. By validating the token as described in the documentation, you can be sure that it came from Google and was issued to your legitimate client application. An ID token expires after an hour and the new one be different.
The documentation does have a general explanation of these security concepts, check out the video for an explanation of ID tokens.
https://developers.google.com/identity/sign-in/web/backend-auth