How and why is Google OAuth token validation performed?

Question

Between access tokens, refresh tokens, scopes, audiences, and client IDs, I was confused when the Google OAuth documentation instructed me to validate all tokens in order to

Answer 1

How are you using OAuth2? Do you obtain an authorization code and exchange for refresh token? Or are you obtaining access tokens directly via your frontend?

If you're receiving an authorization code, you're done, as the check for client_secret performed by Google in the backend guarantees that all tokens returned in exchange for the authorization code were issued for your application.

If you're receiving an access_token+id_token through frontend, then you should validate the id_token signature using the recommended libraries, then validate that the 'aud' field in the id_token matches the one you registered for your application w/ Google. For complete security, also cross-validate the access_token with the id_token (the id_token includes a truncated hash of the access_token as filed 'at_hash'), as documented in: https://developers.google.com/accounts/docs/OAuth2Login