In this authentication process, the Token endpoint returns all tokens.The Authorization Code Flow returns an authorization code to the client application. The client application exchanges it for an ID token and an Access token. The authorization server can also authenticate the client application before exchanging the authorization code for an Access token. This process does not expose tokens to the User Agent.
Process Flow:
The client application prepares an authentication request containing the desired request parameters and sends the request to the authorization server.
The authorization server authenticates the user.
The authorization server obtains the user consent for the request.
The authorization server sends the user consent to the client application with an authorization code.
The client application requests a response by using the authorization code at the Token endpoint.
The client application receives a response that contains an ID token and Access token in the response body.
The client application validates the ID token and retrieves the user's subject identifier.