Microsoft Teams Auth Token / Microsoft graph access token swap
I am generating an auth token using the Teams JS SDK. From this, I swap it out for a MS Graph access token using the following input to a PHP cURL call:
$scope = urlencode('https://graph.microsoft.com/user.read+offline_access');
$url = 'login.microsoftonline.com/' . $tenant_id;
$url .= '?grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer';
$url .= '&client_id=' . $aad_app_id;
$url .= '&client_secret=' . $client_secret;
$url .= '&assertion=' . $auth_token;
$url .= '&scope=' . $scope;
$url .= '&requested_token_use=on_behalf_of';
Question: how can I be sure the auth token sent back from using the Teams JS SDK is actually valid? I need to verify it * behind the scenes * in an automated way (php) - I know we can manually validate it at jwt.io, but this does us no good. In swapping the Teams Auth Token for the Graph Access token, it would seem to me that the assertion (auth token) , client secret, client id, and the tenant id are all used to verify authenticity. Is this correct? Will a success (Graph access token retrieval) essentially validate the Auth token is from who we think it's from (Microsoft)?
A parallel question: is the client secret used in creating the jwt token signature? If so, How can I verify it?