How and why is Google OAuth token validation performed? -

Between access tokens, tokens, scopes, audiences, and client ID refresh, when Google OAuth documentation instructed me to get confused deputy problems To prevent this, only the general problem tells at a higher level, is not specific to OAuth or even network authentication. If I understand it correctly, the token verification is not part of Oeth 2, but actually depends on the specific implementation. So here's my question:

How is Google OAuth token validation done and why?

In this context, a solid example of confusing deputy problems would be particularly appreciated. Also keep in mind that I fully ask about client-side applications, if it does make any difference.

Google is specifically referring to the access token.

In the context of OAuth 2.0, the confusing sub problem is applied when used for authentication Google "OAuth 2.0 for client-side applications" on the underlying grant protocol flows Based says.

Since the indirect flow exposes an access token to the end user through the URI slice, it introduces the possibility that access tokens can be tampered with a legitimate app (an OAuth client) confused deputy Can accept an entry token which was released to a different (malicious) app, allowing an attacker to access the victim's account.

Validating the key phase admissions token is that the app confirms that the access token was not originally released for a separate app. :

Note: While examining tokens, it is important to make sure that the field of viewers exactly matches their client-Aedes registered in the API console in response. This is a mitigation for the confusing deputy issue, and it is absolutely necessary to execute this step.

As a simple example, there are two apps: (1) filestore, a valid file storage app, and (2) Google App authorization for both App-client-side applications Alice is an innocent end user using the process, and her Google user ID is XYZ.

1. Alice has signed in to the filestore using Google.
2. After the authentication process, the filestore creates an account for Alice and connects it with Google User ID XYZ.
3. Alice uploads some files to her filestore account. So far, everything is fine.
4. Later, Alice enters the wildwalk, which provides games that look very enjoyable.
5. As a result, Avilpact receives a token that Google User ID XYZ receives
6. Owners of EvilWhat can now create redirect URR for filestore, by entering an access token it was released for Alice's Google account.
7. An attacker connects to the filestore, which will take the login token and check with Google for which user is Google. Google says this user is XYZ.
8. Filestor attacker will access Alice files because the attacker has an access token for Google user XYZ.

   The filestore mistake was not validating with Google that the access token given to it was actually issued to the filestore; The token was actually released to EvilPass.

   Others have described me this way more beautifully:

13. < / Ul>

    I hope the token verification part of the client-side application is part of why , and how it deals with the problem of confused deputy.