After completing the actions specified by the sign-on policy, the authentication flow completes and the user is redirected to the URL specified in the resumeUrl property in the flow resource.
You can use the GET /{{envID}}/as/resume?flowId={{flowID}} endpoint to obtain the access token. The response returns a 302 HTTP Status message and a Location HTTP header that includes the token.
The Location header for the /resume endpoint looks like this:
Location: https://www.redirect-domain.com?token=eyJhbGciOiJSUzI1NiIsImtpZCI6ImRlZmF1bHQifQ.eyJjbGllbnRfaWQiOiI4MzAxMDljNy1mOGFhLTQ5MWUtYjJmMi04Zjc1MzJhZTg1ZTkiLCJpc3MiOiJodHRwczovL2F1dGgucGluZ29uZS5jb20vYmY0Y2I4YjgtMzNlOS00NTc2LThkNzAtYzBhYjY3OWZlMGZhL2FzIiwiaWF0IjoxNjYzNTkxMTgzLCJleHAiOjE2NjM1OTQ3ODMsImF1ZCI6WyJodHRwczovL2FwaS5waW5nb25lLmNvbSJdLCJlbnYiOiJiZjRjYjhiOC0zM2U5LTQ1NzYtOGQ3MC1jMGFiNjc5ZmUwZmEiLCJvcmciOiIyZTRlYjk4ZS0zMGZjLTQyOTgtYmIxOS04ZTQzM2Q3MmNmYWUifQ.SRviSQ7NLJ8DbyKXtJ-D0otdaY9uEu1-HXLIJtNhN9mPncZ2agDJHExA5jKWI1uYMHW5TlfazZ6PAVsj6MR6kOxgshSv4BF-klQvOHDmDCsH86rnnxdLZjxw-nwep99ZLc2IlVXzzpTK3U5T8p3Iep1daYMM75CNlSY9b7Ol9BCT2pa_cR9aXczSHdhDK335kRvg4c3DG2nq1rHM7YThOCS06egTvPFiwCBuUmALvJIbAHds8KmYfM1NFWI2vcnl6udqF6aVwRcVcnJa-bF71xHEzxNKa19UW0xe24_wwjWYueGsZkmcQ_1ZCBWuV9OzQaBWcuw5WLrqwtxsCoU9JQ