The Authorization Code Processor processes authorization codes produced by the Authorization Code Provider. Its job is to complete the OAuth 2.0 authorization code flow by exchanging the code at the token endpoint, persisting the resulting refresh token, and then using refresh token based exchanges to acquire access tokens and identity tokens for the requested scopes.

• Read the transient authorization flow values required for the code exchange from the Property Store.
• Exchange the authorization code for tokens at the token endpoint.
• Persist the refresh token through the Refresh Token Store.
• Use the Scope Sorter to group requested scopes and acquire tokens for each group.
• Use the Token Refresher to acquire access tokens and identity tokens based on the stored refresh token.

• ProcessAuthorizationCodeAsync: Processes an authorization code and returns a value indicating whether the processing was successful.

The default implementation reads the following values from the Property Store.

• Nonce
• Scope
• Code verifier

After these values have been read, they are removed from the Property Store to avoid reusing them in a later flow.

The service then determines the redirect URI to use for the token request. If a redirect URI is configured via authority options, that value is used. Otherwise, the service uses the Redirect URI Provider to resolve the redirect URI.

To exchange the authorization code, the service asks the Endpoint Service to create a token request builder, configures the builder for the authorization code grant including the PKCE code verifier and redirect URI, and sends the request using the HTTP Service.

If the token exchange succeeds and the response contains a refresh token, the refresh token is persisted using the Refresh Token Store. The service then sorts the requested scopes into groups using the Scope Sorter and calls the Token Refresher once per group to acquire and persist tokens for those scopes.

The method returns true if a refresh token was obtained and stored, otherwise it returns false.

AuthorizationCodeProcessor is the default implementation.

• The service requires a nonce, scope, and code verifier to be present in the Property Store. Missing values cause an exception.
• The service removes nonce, scope, and code verifier from the Property Store immediately after reading them.
• The service only proceeds to refresh token based acquisitions if a refresh token was obtained.
• Failures during the token exchange are written to standard output using Console.WriteLine.

The Authorization Code Processor is typically invoked by components that handle the redirect back to the application, after extracting the authorization code from the redirect URL.

Call ProcessAuthorizationCodeAsync with the authorization code.

• If it returns true, token acquisition for the requested scopes has been initiated.
• If it returns false, the authorization code exchange did not yield a usable refresh token.

• Authorization Code Provider
• Property Store
• Refresh Token Store
• Endpoint Service
• HTTP Service
• Redirect URI Provider
• Scope Sorter
• Token Refresher

• RFC 6749: The OAuth 2.0 Authorization Framework
• RFC 7636: Proof Key for Code Exchange by OAuth Public Clients
• OpenID Connect Core 1.0
• Microsoft identity platform and OAuth 2.0 authorization code flow
• Microsoft identity platform token endpoint