3.2.5.1.3.3 Processing Details
The server verifies that the request was signed by the client with a key derived from the session key previously issued to the client using the process for deriving the signing key described in section 3.1.5.1.3.3. If the signature is invalid, the server returns the error "invalid_grant" using the format described in [RFC6749] section 5.2.
If the resource query parameter is invalid or is not found to be registered on the AD FS server, the AD FS server responds to the OAuth 2.0 client according to the requirements of [RFC6749] section 4.1.2.1 (Error Response). The REQUIRED error parameter of the response MUST be set to the invalid_resource error code, which is defined in [MS-OAPX] section 2.2.4.1.
The server then issues an access token for the requested resource following the process in [RFC6749] section 6, using the scope and refresh_token values provided in the request, with the following exceptions:
The response format is as described in section 3.2.5.1.3.2 for successful responses; error responses are returned as described in [RFC6749] section 5.2.
If the server requires user interaction at the authorization endpoint ([MS-OAPX] section 3.2.5.1) before processing this request (for example, to give consent or to provide additional authentication), the server returns the interaction_required error using the format described in [RFC6749] section 5.2.
If the scope parameter contains the scope "aza", the server issues a new primary refresh token and sets it in the refresh_token field of the response, as well as setting the refresh_token_expires_in field to the lifetime of the new primary refresh token if one is enforced.
The scope of the issued access token is always returned in the scope response field, even if it is the same as the scope in the request.
The server can include an ID token (see [OIDCCore]) in the id_token field of the response.
The server encrypts the response using a key that was derived by using the same process as that used for deriving the signing key, as defined in section 3.1.5.1.3.3.