As I understood, after consent is accepted, identity application needs to call PUT hydra admin endpoint (/consent/accept), which returns another url, which the browser needs to redirect to.
Question: How does the client gets the access token and refresh token from Hydra? Is that using callback endpoint that hydra calls to 3rd party app client?
If so, is there an alternative way? In our use case, we have 3rd party app running in the facility (on-prem) and Hydra OAuth 2 needs to be put in cloud. Facility does not want to open up a port even for https. So trying to understand the last flow after consent is approved, how is the access token and refresh token shared with 3rd party app client and are there any alternatives?
Please check out the OAuth2 flows and specifications, which explain how this would work. On a high level, the client exchanges the authorization code for an access and optionally refresh token.
Thank you for clarifying. I was trying to look for the client app code in github that handles /callback, but could not find out. Will look at auth 2 spec.