how long is google access token obtained in signinCallback valid?
3600 seconds (1 hour)
Is this expiry flexible?
No. The access token will always expire after an hour. However, you can use a refresh token to replace the expired access token with a fresh token. To do this, you must request offline access on the sign-in button, send the one-time authorization code to your server, and exchange the auth code for an access token and refresh token.
Can I use it multiple times to pull out user information from google before expiry?
Unless the user disconnects from your app, you will be able to get fresh access tokens and make your API calls.
how should I maintain session during sign-in?
Use your own site's session to maintain user state for your site. It sounds like you already have sessions working on your site, if the session is present and contains whatever authorization keys are required for your site, the user should be authorized.
Use google access token as session key:
Please don't do this, you need to protect your user's access tokens. One thing you can do that is marginally safer is to pass the access token from the sign-in callback and then verify it corresponds to the session-cached user on your server.
A better way
Here's really what you should be doing. Use the sign-in button callback to determine that the user is not signed in and invalidate any sessions when they are not. Pass an ID token or one-time authorization code from the callback to your server to authenticate your user. The following code shows your average sign-in callback with the error conditions called out:
function onSignInCallback(authResult) {
if (authResult['access_token']) {
// User is signed in.
} else if (authResult['error']) {
// There was an error, which means the user is not signed in.
// As an example, you can handle by writing to the console:
console.log('not signed in, invalidating session');
}
console.log('authResult', authResult);
}
As you're aware, the authResult object contains members access_token and id_token. Sending these tokens to the OAuth.v2.verifytoken endpoint will check the token certificate is valid and the token has not expired. Verifytoken will also return to you a unique identifier for the user that you can use to verify that the user is not using the incorrect session.
The Google+ PHP Quickstart shows you how to send the authorization code to your server, accept and exchange the code, verify the token, and so on in PHP.
So, again, what you should be doing is:
- Pass an OAuth 2 credential to your server on client authentication
- Verify the credential on your server and disconnect the user session if it fails
- Rely on your site session once the user has been authenticated
- If you want to sign the user out whenever they sign out of Google, retrieve an OAuth 2 credential on every page load and pass the token (ID/access/one time code) on each request and verify it.