I'm manually writing OAuth2 Server Flow to allow users to login using Google (and other websites, but let's focus on Google).
I have the basic flow working:
- user clicks on the login link.
- goes to Google and sees consent screen.
- accepts.
- redirected back to my website.
- server takes relevant information and logs user in.
So far so good. Now I want to make sure that the server remembers the user for next time. For that I store the token along with other user data on the server.
Now, how do I check, server-to-server, if the token is still valid? I have it's expiration time, so I know it's invalid after that time passes, but what do I do then? Should I ask for a permanent (offline) token if I only want to allow login?