I'm talking about the authorization_code grant type. In the authorization end point of the OpenID Connect provider we gave an authorization code to the relying party and then they make a back channel request (no browser involved) to the token end point with this code. So the question is, how do I distinguish this user at the token end point? I guess no session exists for this call since it's a back channel request. What methods can be used to identify the user? Could a stored HashMap in memory with key as authorization_code be the ideal solution?
Storing it in a HashMap is a solution that does not scale, as internal memory is not shared accross server nodes.
You'll have to store it in some form of persistent store
Note that you'll not only need to be able to determine the user, for which it was made, but also the client, as clients don't need to authenticate themselves to get a code. Also know that you'll need to be able to determine which scopes are covered by a given code, and to detect double usage of a code, and in case of double usage, to revoke associated access tokens.
On the other hand, you need to be able to easily forget the codes again. They're short term use, and it's no use keeping them around after their ttl.
You'll have similar requirements for storing the access tokens, refresh and id tokens you produce, so it'll make sense to build something which can also be used for those.