I'm manually writing OAuth2 Server Flow to allow users to login using Google (and other websites, but let's focus on Google).
I have the basic flow working:
- user clicks on the login link.
- goes to Google and sees consent screen.
- accepts.
- redirected back to my website.
- server takes relevant information and logs user in.
So far so good. Now I want to make sure that the server remembers the user for next time. For that I store the token along with other user data on the server.
Now, how do I check, server-to-server, if the token is still valid? I have it's expiration time, so I know it's invalid after that time passes, but what do I do then? Should I ask for a permanent (offline) token if I only want to allow login?
As a result of authorization success from Google, you should also get refresh_token. If you are not getting then do the following.
Now, for validating you can hit the token validation endpoint of Google, if you are not maintaining the state. If you are maintaining the state then you can validate the expiry of token if token is only signed, if encrypted then you have to validate from Google.
You can play with different Google OAuth URLs here
more details on token validation here