Android | The correct way to authenticate users using refresh tokens

0
votes

So i want to add google sign-in as the only sign-in option to my application. I was reading this docs:

http://android-developers.blogspot.co.il/2016/05/improving-security-and-user-experience.html http://android-developers.blogspot.co.il/2016/01/using-google-sign-in-with-your-server.html https://developers.google.com/identity/sign-in/android/backend-auth#using-a-google-api-client-library

But all they are saying is what NOT to do, and not what we should do.

so far i was able to get the Access token using the GoogleSignInAccount.getIdToken method and succesfully authenticate it in my backend server (verifying the token against https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=)

But the docs says we should use refresh tokens and not access tokens..

Does anyone know what is the correct flow (best practice for both UX and security) to authenticate users using the refresh tokens?

Thanks in advance!

1
androidauthenticationfirebase-authentication

1 Answers

0
votes

Have you looked at the FirebaseUI Auth? As stated in the github page, "FirebaseUI is an open-source library that offers simple, customizable UI bindings on top of the core Firebase SDKs. It aims to eliminate boilerplate code and promote best practices (both user experience and security) for authentication."