If I understand you, you want to rely on ipfs (rather than google) to ensure the client your app is talking to is who he pretends to be.
You probably want your user to present you a token signed with a key you trust, something like jwt.
If im not mistaken, identity in ipfs is guaranteed by cryptography - only the owner of the corresponding private key can sign content that you can check against a given public key.
I recently posted a comment in another thread concerning the decentralized identity effort carried on by https://identity.foundation. Using this scheme, you have your client generate a key pair and post a did document under the ipns namespace of their key.
When they want to make a request to your app, they include their did id (did:ipid:) in the jwt id field, and sign it with their key. To check the token, your server fetch the did document (published under /ipns/), decide whether the user should be authorized or not, and if it is, check that the token is signed with the published public key.