Google has a code generator that generates a personalized login with Google button. A sample of the code generated by the generator is as the following.
<div id="g_id_onload"
data-client_id="abcdefghijklmnopqrstuvwxyz"
data-context="signin"
data-ux_mode="popup"
data-callback="localhost:1234/callback"
data-nonce=""
data-auto_prompt="false">
</div>
<div class="g_id_signin"
data-type="standard"
data-shape="rectangular"
data-theme="outline"
data-text="signin_with"
data-size="large"
data-logo_alignment="left">
</div>
I have a few questions to understand this button better.
Why is there no client secret?
Because this is client side JavaScript and there for uses implicit flow. The Implicit flow is a simplified OAuth flow used by JavaScript apps where the access token was returned immediately without an extra authorization code exchange step.
This button gets an ID token, but what about a refresh and access token? How could you refresh an expired ID token?
This is again client side JavaScript Implicit flow. Implicit flow does not return a refresh token. TO get a new id token after it has expired the user will need to login again.
Is the generated code production-ready, or is it merely serve demo purposes?
Google web identity is in production and what google is currently recommending we used for Client side JavaScript web applications.