note: line breaks added for readablity
The web client (user agent) (client.oursite.com) should direct the user to authenticate through the Open ID Connect authorization code flow. The user agent should at this point have an authorization code from the provider. The below shows exactly how the user agent exchanges that code for an access token from the backend (server.oursite.com).
POST /token HTTP/1.1
Host: server.oursite.com
Content-Type: application/x-www-form-urlencoded
grant_type=x-oidc-code