The original article [1] explains it much further:
> As you read previously, according to the Facebook documentation, when Vidio.com receives the access token from the user, Vidio should verify that the access token was generated to its App ID (92356) by calling the https://graph.facebook.com/debug_token API.
The access token usually has an `aud` field that says for whom it is.
I'm not familiar with Gitea's implementation, but reading your link, it would seem that it acts as an oauth2 provider so that 3rd parties can access Gitea, not some other random app.
> Gitea supports acting as an OAuth2 provider to allow third party applications to access its resources with the user's consent.
> As you read previously, according to the Facebook documentation, when Vidio.com receives the access token from the user, Vidio should verify that the access token was generated to its App ID (92356) by calling the https://graph.facebook.com/debug_token API.
Confirming what vladvasiliu said.
1. https://salt.security/blog/oh-auth-abusing-oauth-to-take-ove...