Google has a code generator that generates a personalized login with Google button. A sample of the code generated by the generator is as the following.

<div id="g_id_onload"
     data-client_id="abcdefghijklmnopqrstuvwxyz"
     data-context="signin"
     data-ux_mode="popup"
     data-callback="localhost:1234/callback"
     data-nonce=""
     data-auto_prompt="false">
</div>

<div 
     data-type="standard"
     data-shape="rectangular"
     data-theme="outline"
     data-text="signin_with"
     data-size="large"
     data-logo_alignment="left">
</div>

I have a few questions to understand this button better.

• Why is there no client secret?
• This button gets an ID token, but what about a refresh and access token? How could you refresh an expired ID token?
• Is the generated code production-ready, or is it merely serve demo purposes?

CodePudding user response：

Why is there no client secret?

Because this is client side JavaScript and there for uses implicit flow. The Implicit flow is a simplified OAuth flow used by JavaScript apps where the access token was returned immediately without an extra authorization code exchange step.

This button gets an ID token, but what about a refresh and access token? How could you refresh an expired ID token?

This is again client side JavaScript Implicit flow. Implicit flow does not return a refresh token. TO get a new id token after it has expired the user will need to login again.

Is the generated code production-ready, or is it merely serve demo purposes?

Google web identity is in production and what google is currently recommending we used for Client side JavaScript web applications.