After following GCP documentation on generating token programmatically. We found that IAP was allowing tokens even when they expired.
We were expecting 401 response if an expired token was passed as a bearer token for authentication.
After getting in touch with support team from GCP, we found that simply changing a url param value should fix the following issue as the generated token is tied to the GCP user session when the token is generated in a normal login flow, but however this should not be the case when trying to generate the token programmatically as mentioned here.
To fix this, change the query param 'cred_ref' value to false when trying to generate CODE in step 3 of signing in to the application documentation. So, the correct URI to get the CODE should be:
https://accounts.google.com/o/oauth2/v2/auth?client_id=DESKTOP_CLIENT_ID&response_type=code&scope=openid%20email&access_type=offline&redirect_uri=REDIRECT_URI&cred_ref=false
After generating CODE using above modified URI, fetch a new ID token. But now the token after expiring should return a 401 error instead of just accepting the expired token.