As far as I know, there is no way to authenticate the app itself.
If the request starts from a device in my network, I can capture the request along with the access token.
Then once I have the access token, I can make calls from an app that I wrote, and there won't be a way for your back-end to know otherwise.
You can only verify the user since the identity provider has issued a signed token for them after they have authenticated.
In your back-end you need to check the user's access to the resources they are trying to access.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…