Hi @jabran-corp · Thank you for reaching out.
When a Resource Owner (end user) is authenticated, he gets an Authorization Code from the authorization endpoint. This code is sent to the Client Application (the actual application corresponding to which app registration is done in Azure AD) via user agent (web browser or native app). The Client Application then does a direct communication with the Authorization Server (Azure AD, for example).
- The client application first authenticates with the Authorization Server, which is why a client secret is required.
- It then sends the authorization code to the Authorization Server that it received.
Authorization Server sends back the access token and refresh token in response only when it has validated the code and that it is the same application that requested authorization in the first place.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.