I am developing a Cordova app with native Google authentication. I just want to have users create their account and/or login on my app using a "Sign in with Google" button. Nothing more.
After a successful login on the user's device, my client app is given an ID Token. I send this token to my backend for validation using Google's provided library. Everything works great.
Now what? What is the best parctice?
Can I use this ID Token "ad-vitam-eternam"? Can I rely on this token to securely authenticate users on my backend? If so, should I store it in an httpOnly cookie client-side?
Google says I should create a session. As in a PHP session? That's not a very REST thing to do.
Does this mean I will have to make my own tokens after the ID Token validation?
I know a lot of documentation exists, but it's overwhelming and not always easy.
Thank you very much for your clarifications
After some more digging around, I found this webpage. The issued token is valid for an hour, so I'll just use it to make a stateless session.