It would be nice to be able to get just the first PKCE "code" from Azure (or any other IdP supported by TWebAuth) and stop at that. It can then be passed to another server, which can exchange it for JWT and return the necessary properties, so that the actual JWT never crosses the browser - it's more secure this way. The way it currently works is not secure enough for enterprise applications with any degree of sensitivity.