android - Verify Gmail OAuth2 token and client spoof -

i'm following this example in order allow user log in google account in remote server.

basically access_token in client , send server. in server check response of

https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=xxxx 

getting email of user , authenticating in server.

but have security question, if malicious developer create app allows gmail login, store users' access token , use them spoof identity in server? how can avoid that? there way of validate signature of application obtained access token?

the token info returned like:

{     "issued_to": "xxxxxxxxxxxxxx.apps.googleusercontent.com",     "audience": "xxxxxxxxxx.apps.googleusercontent.com",     "user_id": "15285874285447",     "scope": "https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/userinfo.email",     "expires_in": 3562,     "email": "user@mail.com",     "verified_email": true,     "access_type": "online" } 

so fields issued_to or audience important validation?

edit: i'm not meaning man in middle attack. example imagine create game called virusx allows gmail login. if no validation made save access_tokens , use them access apps using gmail login.

using facebook api solved way:

• you ask token using facebook_app_id (facebook sdk validates app signature)
• the user logs in , access_token , send server
• the server retrieves user_id calling https://graph.facebook.com/me?access_token=xxxxx
• then server calls https://graph.facebook.com/user_id?access_token=facebook_app_id|facebook_secret
• at point if token not retrieved facebook_app_id (the secret not match) , receive invalid oauth access token signature

the tokeninfo endpoint validating token you. long using https communicate it, safe. can unpack , parse token yourself, there libraries this, it's quite easy actually. see here form details. should @ verify backend calls link suggested above, it's more powerful , lets verify not user, request coming own app (there ways fool on rooted device though).

for edited question:

the token signed, can validate it. if validation fails, token has been tampered , should not trust (the google tokeninfo endpoint that). has validity time, can check if expired. if gets access token , sends service (replay), can use limited time (typically 30-60 mins). if use backend validation technique, makes sure token comes app , not virus x validating package name , signing certificate hash, have register in advance. read how works , use instead of 'raw' profile tokens.

generally, bearer type token cookie -- if have it, there no way distinguish between original owner , stole it. mitigating factor token can revoked , has limited validity time.