I have a question about having users logon to my service using their Google Credentials. I've gone through the Using OAuth 2.0 for Login documentation provided by Google.
The documentation mentions an id_token (JWT token) as the primary authentication token that can be passed around and verified by the application.
On the other hand, together with the id_token, the Google Oauth 2.0 API also returns an access token (that can be long-lived depending on the access_type)
Now, Facebook and Twitter also use OAuth to allow third party webapps with a "login using twitter" or "login using facebook" button. They assume that when an access token is retrieved through their APIs it considers the user authenticated.
Wouldn't the same be possible with Google? If I just use their OAuth 2.0 API to retrieve an access token and verify the access token by retrieving some user info like email, would that be considered a valid authentication flow ? Or am I missing something here ?
