I’ve been working on social authentication for a bit now for Requeme, and I had a hard time getting it implemented because I was not sure how to get it done correctly.
I started with Google Sign-In, and my first idea was to get the JWT that I got from Google to do all authentication. I got it working, but I noticed a few issues with this approach.
First, if I want to add an other auth provider, like Twitter or GitHub, then I would have a different token on the client side for all of them, which makes managing users harder.
Second, the information in the token is coming from Google, and I cannot add information of my own. Managing permissions, for example, in this scheme would probably be quite hellish.
So I will use those social tokens only for sign-up and login, and provide the client-side with a token that I will generate on my own for all other requests. This way, both problems are solved, albeit at the cost of a bit of complexity on my side.
Then again, authentication is a feature that I will probably implement once and reuse everywhere, so it makes sense to make it the best I can now, to save myself time later.