How's authorization-code/callback actually handled

i know it’s in the Okta.AspNet package but i review almost all the code there and can’t understand where it’s actually handled? I need to implement my own handling to support multiple issuers

Sorry but I dont’ understand what you mean. The auth server has redirect_uri settings and trying respond to that endpoint with the id token. And by default that endpoint is set to authorization-code/callback. And, as stated in the docs - the Okta.AspNet handles that endpoint by itself. But I can’t find where is it actually happen in the code of Okta.AspNet?

What if I want to only use standard OpenIdConnectAuthenticationMiddleware without Okta.AspNet wrapper? In that case I got “endpoint not found”-like error 'cause now nobody handles authorization-code/callback

ok I found out that there was strange behavior in standard .net OpenId middleware. I supposed that if I put ReponseType as “code” - it should get a code first and make a second step after it sending the code and client secret to OP getting id token in response (as OpenId spec describes in Authorization Code flow section). But instead it just did let the request went through OWIN to mvc’s controller.

Finally I changed the “code” response type to “code id_token” and it worked. By the way Okta’s doc itself recommends to set “code” response type and it work if you use Okta’s SDK but it doesn’t work with standard .NET OpenId handler (without Okta’s wrapper). Strange…