While developing an iOS and Android app for a backend API, I'm using separate client IDs for each. However, I noticed something that I find odd, and I'm hoping someone can explain why this works and if it's ok to work this way.
What I noticed is that if my backend API code supplies the Google Sign In client object with a client ID during instantiation, then it must match the client ID used by iOS or Android. (The client ID is called "audience" in the Google API code.) However, if my backend API code do NOT supply the Google Sign In client object with a client ID, then iOS/Android will always validate.
This is how it works whether you use php, java, nodejs, etc.
I expected not using a client ID to fail, same as using a mismatched client ID.
So, my questions: Is it valid to have the backend server validate ID tokens without specifying a client ID? Is there anything wrong or unsafe with doing it this way? What's the point of having the second part of the if statement that checks to make sure that client.audience (if set) match idtoken.audience, if you can just leave client.audience blank and it works anyway?
I wonder about this because related documentation, such as the Android docs, state this as part of the verification process when authenticating with a backend:
The value of aud in the ID token is equal to one of your app's client IDs. This check is necessary to prevent ID tokens issued to a malicious app being used to access data about the same user on your app's backend server.
If the point is to prevent malicious apps from doing bad things, why is valid to simply not use a client ID during verification?
Thanks in advance! I'm hoping someone can help me understand this. I haven't found a solid answer in Google's documentation.
