Why can't you see OAuth steps 5–8 in the ZAP browser proxy, and where do the ID/Access tokens actually live?
Those steps are server-to-server (back channel) between the web app's backend and the authorization server, so they never pass through the browser the proxy is watching — the tokens end up on the app's server.
A browser proxy like ZAP can only see traffic that flows through the browser:
- Visible (front channel): the user ↔ web app, and the user ↔ authorization server login page — the browser is a party to these.
- Invisible (back channel): the web app's backend ↔ the authorization server (
/tokenexchange, token issuance). These are direct server-to-server HTTPS calls the browser is never part of.
Because this is a server-side web application, the authorization code exchange and the resulting ID Token and Access Token stay on the app's server, never reaching the browser. (A demo app can even re-display them in the page GUI just so you can inspect what you'd otherwise never see.)
Tip: "If the browser isn't a participant, your browser proxy can't see it." Keeping front-channel vs back-channel straight explains most "why is this request missing in ZAP?" puzzles.