I have a React Native app that is using Expo.Google.logInAsync to login via Google. This returns an accessToken (expires after 1 hour) and a refreshToken.
Im passing this accessToken to the Firebase Web SDK:
const cred = firebase.auth.GoogleAuthProvider.credential(null, accessToken);
await firebase.auth().signInWithCredential(cred).catch(console.error);
const idToken = await firebase.auth().currentUser.getIdToken(true).catch(console.error);
How should I be using this Google refreshToken to keep the Firebase idToken valid and logged in after one hour?
Should I make the request below and re-reun the Firebase signInWithCredential?
https://developers.google.com/identity/protocols/OAuth2WebServer#exchange-authorization-code
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
client_id=<your_client_id>&
client_secret=<your_client_secret>&
refresh_token=<refresh_token>&
grant_type=refresh_token
I can get my client_secret from the Google API Credential page. Most people say to keep it on the server if possible, but some say you can also embed it into your client code if needed.
Is the client_secret designed to be used from client side code in a phone app?
Firebase sessions are indefinite. Firebase Auth returns an ID token and refresh token after sign in and every time an ID token expires, the refresh token is used to get a new ID token. The client SDK will take care of the refresh on its own. You just call getIdToken() and it will either returned the cached ID token if not expired or retrieve a new one using the underlying refresh token. The Google OAuth refresh token you are referring to is not needed here.