Yes, the authorization code should be returned as query parameter.
Here is a cURL request on the authorization endpoint with the sessionToken, using verbose and follow location. The authorization code was sent successfully and received by the application.
[root@vps ~]# curl -Lv "https://org.okta.com/oauth2/aus38el88lfcL6PFg2p7/v1/authorize?response_type=code&client_id=0oa2fatx70JGiU2TA2p7&redirect_uri=https%3A%2F%2Forg-okta.ngrok.io%2Fsamples%2Fokta-tokens%2Fprod-custom-as.php&state=abc&scope=openid&nonce=abc&sessionToken=2011112qQQwSpQ46H9cv4A29vdKnm4aRLq_UADrgEu65wKVXOHR06dz"
* About to connect() to org.okta.com port 443 (#0)
* Trying 52.14.242.23...
* Connected to org.okta.com (52.14.242.23) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=*.okta.com,O="Okta, Inc.",L=San Francisco,ST=California,C=US
* start date: May 28 00:00:00 2019 GMT
* expire date: May 28 12:00:00 2021 GMT
* common name: *.okta.com
* issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
> GET /oauth2/aus38el88lfcL6PFg2p7/v1/authorize?response_type=code&client_id=0oa2fatx70JGiU2TA2p7&redirect_uri=https%3A%2F%2Forg-okta.ngrok.io%2Fsamples%2Fokta-tokens%2Fprod-custom-as.php&state=abc&scope=openid&nonce=abc&sessionToken=2011112qQQwSpQ46H9cv4A29vdKnm4aRLq_UADrgEu65wKVXOHR06dz HTTP/1.1
> User-Agent: curl/7.29.0
> Host: org.okta.com
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Thu, 31 Oct 2019 23:58:37 GMT
< Server: nginx
< Public-Key-Pins-Report-Only: pin-sha256="r5EfzZxQVvQpKo3AgYRaT7X2bDO/kj3ACwmxfdT2zt8="; pin-sha256="MaqlcUgk2mvY/RFSGeSwBRkI+rZ6/dxe/DuQfBT/vnQ="; pin-sha256="72G5IEvDEWn+EThf3qjR7/bQSWaS2ZSLqolhnO6iyJI="; pin-sha256="rrV6CLCCvqnk89gWibYT0JO6fNQ8cCit7GGoiVTjCOg="; max-age=60; report-uri="https://okta.report-uri.io/r/default/hpkp/reportOnly"
< Content-Length: 0
< X-Okta-Request-Id: Xbt1LO6D76S734kQkdT3QgAAAFs
< X-XSS-Protection: 1; mode=block; report=https://okta.report-uri.com/r/d/xss/enforce
< P3P: CP="HONK"
< X-Rate-Limit-Limit: 2000
< X-Rate-Limit-Remaining: 1994
< X-Rate-Limit-Reset: 1572566327
< Content-Security-Policy-Report-Only: default-src 'self' ok6static.oktacdn.com org.okta.com; connect-src 'self' ok6static.oktacdn.com *.mixpanel.com *.mapbox.com app.pendo.io data.pendo.io pendo-static-5634101834153984.storage.googleapis.com; script-src 'unsafe-inline' 'unsafe-eval' 'self' ok6static.oktacdn.com; style-src 'unsafe-inline' 'self' ok6static.oktacdn.com app.pendo.io cdn.pendo.io pendo-static-5634101834153984.storage.googleapis.com; frame-src 'self' login.okta.com; img-src 'self' ok6static.oktacdn.com org.okta.com *.mapbox.com app.pendo.io data.pendo.io cdn.pendo.io pendo-static-5634101834153984.storage.googleapis.com data:; font-src data: 'self' ok6static.oktacdn.com; report-uri https://okta.report-uri.com/r/d/csp/reportOnly; report-to csp-report
< Report-To: {"group":"csp-report","max_age":31536000,"endpoints":[{"url":"https://okta.report-uri.com/r/d/csp/reportOnly"}],"include_subdomains":true}
< Referrer-Policy: no-referrer
< Cache-Control: no-cache, no-store
< Pragma: no-cache
< Expires: 0
< Location: https://org-okta.ngrok.io/samples/okta-tokens/prod-custom-as.php?code=h2TcdBwaD-mb6ievje7x&state=abc
< Content-Language: en
< Strict-Transport-Security: max-age=315360000
< X-Robots-Tag: none
< Set-Cookie: JSESSIONID=31FABFFE0EF4CC2042B384373A68A6FA; Path=/; Secure; HttpOnly
< Set-Cookie: t=sea; Path=/
< Set-Cookie: DT=DI0tVZyqq63S7uv1zBNlks4Nw; Expires=Sat, 30-Oct-2021 23:58:37 GMT; Path=/; Secure
< Set-Cookie: sid=102WqvnROu6RaGQVdS1ZRfkVw; Path=/; Secure
< Set-Cookie: proximity_0b24e00d88cec09bf8cfff53883619bf=b/tZN6DHRBgZscvDZP52Z9xJWo2Jf2yTDy5/QHTorcyKdqTOhXJG1ALK3JpsoJt+DfDMbnS+RSpy+q7r2O6xA8ysiwLZqqszVi3rbuwyykDxWMIv9LC92lvvKi2I5l6Dd/Y12qWUegQG8PoH2mPVH3tCP7TUuS2GExw09ejR5V/mKuIa0VKSRqf8/OyqQEFJ; Expires=Fri, 30-Oct-2020 23:58:37 GMT; Path=/; Secure
<
* Connection #0 to host org.okta.com left intact
* Issue another request to this URL: 'https://org-okta.ngrok.io/samples/okta-tokens/prod-custom-as.php?code=h2TcdBwaD-mb6ievje7x&state=abc'
* About to connect() to org-okta.ngrok.io port 443 (#1)
* Trying 3.19.3.150...
* Connected to org-okta.ngrok.io (3.19.3.150) port 443 (#1)
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=*.ngrok.io
* start date: Mar 11 00:00:00 2019 GMT
* expire date: Mar 11 12:00:00 2020 GMT
* common name: *.ngrok.io
* issuer: CN=RapidSSL RSA CA 2018,OU=www.digicert.com,O=DigiCert Inc,C=US
> GET /samples/okta-tokens/prod-custom-as.php?code=h2TcdBwaD-mb6ievje7x&state=abc HTTP/1.1
> User-Agent: curl/7.29.0
> Host: org-okta.ngrok.io
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 31 Oct 2019 23:58:37 GMT
< Server: Apache/2.4.35 (Win64) PHP/7.0.32
< X-Powered-By: PHP/7.0.32
< Content-Length: 5250
< Content-Type: text/html; charset=UTF-8
<
my content here
* Connection #1 to host org-okta.ngrok.io left intact