The Microsoft.Owin.Security.OpenIdConnect does not implement Authorization Code Flow.
OpenidConnectAuthenticationHandler.cs:247 in v3.0.1
// code is only accepted with id_token, in this version, hence check for code is inside this if
// OpenIdConnect protocol allows a Code to be received without the id_token
_logger.WriteWarning("The id_token is missing.");
This is in violation with the
OpenID Connect v1.0 specifications
. So this should be implemented.