Overview#
If the Authorization Server can accept the Access Token Request values, the Authorization Server sends back an Access Token Response which includes:- Access Token
- OAuth Scopes - If this attribute is not present, the user denied access to all scopes (yet still clicked "Authorize"). Your application must handle this case gracefully.
- Refresh Token OPTIONALLY
- code_verifier comparing it with the previously associated code_challenge, after first transforming it according to the code_challenge_method method specified by the client.