Authorization flow with a back-end API

Please provide the following:

  1. SDK Version: 41
  2. Platforms(Android/iOS/web/all): all
  3. Add the appropriate “Tag” based on what Expo library you have a question on.

I’d like to use social logins for user creation and logging in. Once a user signs in with Google or Facebook, the back-end will create a user account for them (if one doesn’t exist) and a JWT will be issued so that they can access resources from my API (a Node + Express server).

I have two options for this:

a) Using AuthSession, perform the login flow and receive an access token. Pass it to the backend over https, and verify that it is valid and from my app. If it is, issue a JWT of my own which will be used until it expires. This is illustrated here, but using RN instead of Vue:

b) Use openAuthSessionAsync from expo-web-browser to perform a common style of authentication you see on back-ends where you have routes:

/api/authentication/{provider}/start which is visited to start the oauth flow.

/api/authentication/{provider}/redirect to handle the redirect

Is there a preferred approach here for these situations? Also, I know that there are endpoints for verifying a token’s validity (the contents of it), but my main concern here is verifying that the token is from my app, and has not been crafted. I have seen Google recommend checking that the audience key on the decoded token equals my client id, but if I’m using AuthSession, it will be stored in my code and is available to the client.