I am trying to write a web app which uses sign in with google. I am a bit confused about the sequence of steps which should be followed. According to google docs , the normal flow for signing in a user is:
What i intend to figure out is:
1.) Am i supposed to send the IdToken with each and every subsequent API request from web to my server.
2.) what to do if someone steals this access token and sends a call to my server with it?
Quintessential information from your sketch is presented in Google's official publications:
A volatile token is generated and signed by the issuer (Google) and usually expires after a rather short lifespan (related post, while not google-login-specific: What is intent of ID Token expiry time in OpenID Connect?). The Google docs describe how to send a token XYZ123 via https to https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123
As @ian-barber writes here: "Be sure to always send ID tokens over HTTPS - though they can't be used maliciously in themselves, an attacker could use one to establish themselves a session with your app server if they could intercept it, so its important they aren't sent in plain text."
(Refreshed) tokens are to be used to authenticate users. Then your backend logic (the blue server part) can grant further privileges or e.g. transmit data in a post response. The API (JavaScript version) provides a toolset to monitor the user's session status.
As stated here, you must specify "authorized origins". Only authorized origins may validate their client users through the Google Identity API. Please note that even the port matters, i.e. if you allow localhost:8080 as an authorized origin, then localhost:9999 is not included! Additionally, the client ID per se is no secret and is naturally exposed in your html document or app. But only authorized origins are eligible to traverse the login workflow and transmit the token to the backend, where it is validated through calls to the API.
