How secure it the pattern used behind the button "continue with google" when used log into my application and then communicate with the backend server if all we get as authentication result is the email address and based on that we create the user account or log in. I mean, everyone even without using google sign-in workflow can post a xhr request to the server with an arbitrary email address and sign in with whatevery email address is used in the request payload?

Am I missing something? Is there some kind of token in the authentication response that I should pass to the backend server and then use it from there to communicate with google to make sure (that is, validate) and get confirmation from google that it has actually performed related authentication request?

Thanks!