Using OAuth 2.0 (Authentication) token on GAE client

Question

I am searching for the a best way to provide security to my clients [web-java script/mob-android app],so that authorize users/machine can only have access to my app. While searching on google I found that for authorization I can use OAuth 2.0 available from google ,

[1] is it adviceable to use OAuth 2.0?

In OAuth 2.0 during first we have to create a token for client using google console and can use that client id in java script client give here

[2] On web Client where does token stored?

on the developer site they have give that

You should write your code to anticipate the possibility that a granted token might no longer work. A token might stop working for one of these reasons:

The user has revoked access.
The token has not been used for six months.
The user account has exceeded a certain number of token requests.
There is currently a 25-token limit per Google user account. If a user account has 25 valid tokens, the next authentication request succeeds, but quietly invalidates the oldest outstanding token without any user-visible warning.

If you need to authorize multiple programs, machines, or devices, one workaround is to limit the  number of clients that you authorize per user account to 15 or 20. If you are a Google Apps admin, you can create additional admin users and use them to authorize some of the clients.

Using oAuth2.0 I need to have goole,facebook account or from my custom domain account say www.mysite.com/usr1 i can authenticate ?

Questions

[3] Once token is generated can we control its life time(How?) or it expires only after six month?

[4] for each google account user I can generate 25 tokens or for my google account(Account I used to create console project ) I can generate 25 tokens?

[5] can same token be used for multiple web client users?

Access tokens have limited lifetimes. If your application needs access to a Google API beyond the lifetime of a single access token, it can obtain a refresh token. A refresh token allows your application to obtain new access tokens.

[6] Is Access tokens is the same as I have generated from the console?

[7] from where can I get A refresh token?

any help will be appreciated!!!

thanks in advance

Answer 1

I use oauth, oauth2 and openid to authenticate my user on my GAE python application, is not verry simple to implement but is verry useful and simple for the visitor.

In first you can use the oauth 2.0 playground to try and play with oauth: https://developers.google.com/oauthplayground/

1. YES!
2. In a cookies. To protect your users I recommend to use Cloudflare pro to get an https url with your domain name. The cost is very low compared to buy a certificate and you have in more many services to speedup your application.
3. In python you can define the life time, in JAVA I suppose is the same.
4. The token is valid for a lifetime and for a specific domain.
5. See point 4. You can request an update token.
6. I don't know.Test that with Playground tools.
7. I don't understand your question. If your application need to request data from the provider and the token is expired you need to use the refresh key to request a new token.

For information but for Python, I invite you to see this library: https://github.com/scotch/engineauth