What is the flow in such case? Assuming that I am using Authorization Code Flow for OAuth. How Authorization server can know if Resource Owner is authenticated?
The flow is like this:
Client app redirects the browser to the Authorization Server (AS) at a URL such as https://login.mycompanycloud.com - using standard OpenID Connect - this is easily done by plugging in a library
The AS generally supports multiple authentication methods:
The AS then redirects the browser to an 'authenticator', which can be an Identity Provider (IDP) in a different domain, eg https://login.mycompanyintranet.com
Domains used all need to be contactable from the user's browser, and the IDP needs to be able to send tokens to the AS. Due to trust configuration the AS can digitally verify tokens and treat the user as authenticated for the time period of the grant.
For an illustrated example, see my Federated Logins blog post.