Now that we have all the relevant stuff ready, we need to implement the only server-side part of the explicit flow that isn't managed by ASP.NET Core Identity: two brand-new action methods that will do as follows, respectively:

• Redirect the user to the external provider login page with the appropriate ReturnURL, where they can login and/or give the required permissions
• Respond to the ReturnURL HTTP request when the user will be redirected back by the external provider to our web application--along with the authorization code that will be used to retrieve their information and login/register them accordingly

Since both of these methods will eventually need to generate our JWT access and refresh tokens, the best place to add them is definitely the TokenController.