Plugin: SSO-Oauth 2.0 | Are token saved on the server?


I would like to understand the following:

We are using Nextcloud configured as an Enterprise Application and logging in to NextCloud via SSO/Oauth2.0.

Do token get saved by NextCloud somewhere on the server? Or are no tokens “saved” in a way? Temporarily? We would like to strenghten the security of NC and the SSO login and were wondering if there was this possible loophole that someone could use.
Should NC save (auth) tokens, are they encrypted/hashed in any way or completely unencrypted?

Thanks for a clarification!