In order to secure my routes, I'm using Google OAuth to allow my users to sign-in and identify themselves for my backend.
The issued id token is then sent on every request to a protected endpoint on my backend, and is verified by what's explained in this article: https://developers.google.com/identity/sign-in/web/backend-auth
Now the only issue is, id tokens expire after a set amount of time. The only way to retrieve new id tokens is by using the refresh token I believe. If so, how can I safely store the refresh token on the client so I can retrieve new id tokens?
Edit: To clarify, I'm using the authorization code flow
If the client is a Single Page Application then you can store the refresh token in a http-only cookie. Of course that assumes that you have some backend which can receive that cookie, extract the token and make the refresh request to Google. If possible, you can store the refresh token in your backend.
If you don't have a dedicated backend for your app, but still want to keep tokens in http-only cookies, you can have a look at the Token Handler component, we've created at Curity to help with these kind of issues.