I implemented Google Sign-in on my web application.
I made a client ID from developer panel and put it in the HTML where Google Sign-in is made.
The client ID is personal but not secret, that means it identifies my app but it does not give power to manipulate data on a backend server (if I get this right, it is the client_secret that let you do stuff on server side).
My web app does not talk to a server of mine, so I don't need to send the ID token to the server in order to validate the logged user.
My question is: what is the association between an app and its client ID?
Must this client ID be unique for my app regardless of how many users would log in? Since the client ID should identify my app in front of Google OAuth2 servers and not logged users, I thought that
I don't have to create a client ID for every logging customer because client ID identifies the app and not the customer: this means that I have to create a client ID for every different web app using Google Sign-in, not for every logging user.
Could you please confirm my thought above?
Thanks!
You thoughts are correct: a client ID identifies the app to Google (operating the authorizaation server), not a user.