After completing the actions specified by the sign-on policy, the authentication flow completes and the user is redirected to the URL specified in the resumeUrl property in the flow resource.

You can use the GET /{{envID}}/as/resume?flowId={{flowID}} endpoint to obtain the access token. The Location HTTP header returned by the resume endpoint contains the token.