How do I make sure access token comes from authenticated user?

My problem boils down to the use of Okta’s access tokens to secure api endpoint.

I followed this okta guide to set up a react single-page application with their wiget.

When I log into the site I get a access token to use with my api.

I tried to access my api with the access token following this guide

On the api side Okta recommended to verify the access token. When I use their OktaJwtVerifier to verify the token I get faced with a question. How does this verifier know that I gave them the token from a authorized state and not from someone hijacking the token?

The verifier supposedly asserts that

  • Signature is valid
  • Access token is not expired
  • The aud claim matches any expected aud claim passed to verifyAccessToken().
  • The iss claim matches the issuer the verifier is constructed with.
  • Any custom claim assertions that you add are confirmed

But the validator does not know where the token came from.

I noticed that the access token gets saved into localStorage.

Does this not open up for a impersination attack on the access token? Suppose someone got access to the localStorage and used the access token on my api without authenticating. I tested if this would work and it did.

How can I prevent someone from stealing and using my access token without authenticating ???