pub async fn exchange_authorization_code(
db: &Db,
code: &str,
redirect_uri: &str,
code_verifier: &str,
application: &Application,
issuer: &str,
signing_key: &SigningKey,
private_key_pem: &str,
on_user_active: Option<&OnUserActive>,
) -> Result<TokenResponse, TokenError>Expand description
Exchange an authorization code for tokens.
Performs all validation (code lookup, used check, expiry, client binding, redirect_uri match, PKCE), then mints access token, ID token, and refresh token.
The caller is responsible for client authentication (verifying client_id + client_secret) before calling this function.
The caller provides the SigningKey (for kid) and decrypted private
key PEM (for JWT signing) — obtained via AllowThem::get_decrypted_signing_key().