Using Google Sign In, how does the server confirm that a request from the client is being made by a certain user?

I’m developing a web game in JavaScript which communicates with a Node.js server that saves user data to a database, such as user levels, etc.

I want to use Google Sign In as a convenient way for logging players into the game. I only need their profile info and email. Also, I want to be able to sign in without reloading the game page, preferably signing in via a pop-up window.

I’ve got most of it working; I’m calling client = google.accounts.oauth2.initCodeClient(...) in the client when it loads, then when a user wants to sign in I retrieve the authorization code with client.requestCode(). My server receives the code, and I retrieve the tokens and user info with

  let { tokens } = await oauth2Client.getToken(req.body.code);
  const userInfo = (
    await oauth2Client.verifyIdToken({
      idToken: tokens.id_token,

Now, I’m having trouble understanding how to proceed, so that the server can confirm that any further user requests com from a valid, logged in user. Do I send the access token to the client, which then sends it back to the server with any requests the user makes? What happens when the access token expires; how do I avoid having to ask the user to keep logging in each time they open the web app?

I’ve been reading Google’s documentation but I’m having a hard time understanding how the flow of this works in this situation. Any help is much appreciated.

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.