I am a developer and I have created a web app (using React) with OIDC authentication (using a framework called OIDC client). Initially my web app was using another identity provider (based on the product IdentityServer4), using the Authorization Code Flow and everything was working as expected. But due to security reasons we have decided to use BIG-IP APM for handling the traffic to the web app, and it will also act as identity provider. I have some questions here, since I have very little knowledge about BIG-IP, and the consultant helping me with this has little knowledge of OIDC.
Is BIG-IP APM supporting the Authorization Code Flow? If I understand this correctly, it should mean that I can call /connect/authorize from the web app (using http GET), supplying parameters such as client_id, redirect_uri, response_type etc. In short, I then expect BIG-IP APM to make a callback to redirect_uri, supplying the web app with an authorization code that will be used when calling /connect/token, which will return the access and id tokens. All these calls are by the way implemented in the OIDC client framework that I am using, so the details in my explanation may not be 100% correct, but I hope you understand still.
Right now, in the setup we have in BIG-IP APM, a bearer token is included in the first call from BIG-IP APM to my web app. I am supposed to handle this token in some way, but I cannot see how that fits into the Authorization Code Flow at all.