I have an Android App, for the login use google account using Firebase. When I launch the Android application, Firebase returns a token with user information. I sent that token to my server to validate. In the token there is a date and an expiration date (1 hour).
Client -> Android Server -> RESTFUL PHP
From here I do not know what is safe or what is the safest way to communicate:
1st - In each https request from the client to the server send the Firebase token until it expires. (For each request I must collect the public keys provided by Google in a URL to decode the token)
2nd - When my server receives the Firebase token, it must return a new token (generated by the server) that the client must send in each https request to the server until it expires.
Which is the good way ? I am wrong and is there another better way?
The correct option is the 2nd.
Although you have to make a query to Google for each request to decode the token, the real reason is that the token generated by the server may contain other data related to the application: permissions, profile, or whatever interests us.
To generate the Token on the PHP jwt server
composer require firebase / php-jwt