Examples include Google Sign-In and the Google client libraries , which are available for a variety of platforms. The effect is documented in Offline Access ; if an access token is being requested, the client does not receive a refresh token unless offline is specified. To specify both profile and email , you can include the following parameter in your authentication request URI:.

Determines where the response is sent. After obtaining user information from the ID token, you should query your app's user database.

The user's full name, in a displayable form. One good choice for a state token is a string of 30 or so characters constructed using a high-quality random-number generator. But before you can use the information in the ID token or rely on it as an assertion that the user has authenticated, you must validate it.