OAuth authentication in DRF & the G suite

I suspect this question might not be very Django-specific and could stem from my ignorance of how authentication works acroos Google services, but I’ll give it a try in case somebody here has experience with this specific use case.

I have a DRF and Vue web application that uses OAuth for authentication via the drf-social-oauth2 package.

Essentially, authentication goes like this:

  • the user logs in with their Google account and gets a token from Google
  • the frontend application issues a request to the convert-token token of my backend, which validates the Google token and issues an in-house token, which is also saved to my database
  • from then on, the frontend application will include that in-house token in each subsequent request to my backend
  • if that’s the first time the user authenticates, a new account is created on my backend. This means that my backend, understandably, manages its own set of user accounts, which conceptually are twins of the Google accounts used to log-in.

I’m now looking to integrate some Google applications into my webapp. To give a very simple example, I’d like to include a functionality that allows accessing Google slides and docs from the frontend of my app. Integration with those services is <iframe> based, so essentially I’d be embedding some iframes to access the resources on the G suite.

Here’s the issue: since, like I explained, requests to my backend are authenticated using an in-house token and not a Google token, what could happen is a user might be accessing my website using as a certain user X (which, in reality, would just be my “twin” of X as an in-house user account, but that’s transparent to the user, who will think they are logged in “with their Google account”), but they might’ve logged in to Google with another account, resulting in them accessing the embedded resource with a different identity than the one they’re using for my website.

This could have pretty bad consequences if, for example, the publisher of that content on my website only allowed certain accounts to access it: an authorized user might fail to be able to access the content and not understand why, since they’d seemingly be using the correct identity.

Is there a better alternative to have a more “uniform” management of authentication and keep in sync what account the user is logged in with Google and what they’re using for my website?