The Authorization Code Flow returns an Authorization Code to the Client, which can then exchange it for an ID Token and an Access Token directly. This provides the benefit of not exposing any tokens to the User Agent and other malicious applications with access to the User Agent. The Authorization Server can also authenticate the Client before exchanging the Authorization Code for an Access Token.
SUCCESSFUL RESPONSE
When receiving the response from the B-FY system, even though there is a security protocol that guarantees confidentiality and security, it is necessary to make additional validations, in this case using the parameter "state", which was sent in the first request from the cabinet to the B-FY system. This state parameter must be the same as the one sent.
Example:
https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=170894
Oauth 2 spec reference for validation: https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2
OpenIDspecreference: https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse
ERRORRESPONSE
Example:
HTTP/1.1 302 FoundLocation: https://client.example.org/cb?error=invalid_request&error_description= Unsupported%20response_type%20value&state=af0ifjsldkj
OpenIDspecreference: https://openid.net/specs/openid-connect-core-1_0.html#AuthError