I believe that is the question that I need answered.
I am working on integrating Microsoft and Okta SSO into the software that we provide as a service to our customers. One of the large customers uses Okta, and another uses Microsoft Entra ID (formerly Azure Active Directory). Using Microsoft as the example, I have gone through this tutorial (https://learn.microsoft.com/en-us/entra/identity-platform/tutorial-single-page-app-react-register-app), and have the basics of how it works.
I keep seeing references to "validate the token" but don't see how to do that. The way I believe it should work is that our client side app does the redirect to the SSO provider using the applicable libraries. Then the user logs in and a token is sent back to the client in the browser. That part I get. From there it becomes less clear. I would assume that I would need to have the client send the token to our API, where our API would then need to validate with the originating authority that the token is indeed valid. Why? I can't think of any other way to be sure that the token wasn't somehow stolen, and is being sent by a different person on a different computer.
At the end of the above-linked tutorial, I see that Microsoft Graph is called to display information about the user, and I've verified that the ID in my test case is my user account's Object ID in Entra ID, and of course the name and email are mine. I'm wondering if this call to Microsoft Graph is to be done on the server in the case of server side validation, but I haven't found any such reference.