public async Task CanPerform_AuthorizationCode_Flow()
        {
            using (StartLog(out var loggerFactory, minLogLevel: LogLevel.Debug))
            {
                // Arrange
                var clientId   = Guid.NewGuid().ToString();
                var resourceId = Guid.NewGuid().ToString();

                var appBuilder = new CredentialsServerBuilder(loggerFactory)
                                 .EnsureDeveloperCertificate()
                                 .ConfigureReferenceData(data => data
                                                         .CreateIntegratedWebClientApplication(clientId)
                                                         .CreateResourceApplication(resourceId, "ResourceApplication", "read")
                                                         .CreateUser("testUser", "Pa$$w0rd"))
                                 .ConfigureInMemoryEntityFrameworkStorage()
                                 .ConfigureMvcAutomaticSignIn()
                                 .ConfigureOpenIdConnectClient(options =>
                {
                    options.ClientId     = clientId;
                    options.ResponseType = OpenIdConnectResponseType.Code;
                    options.ResponseMode = OpenIdConnectResponseMode.Query;
                    options.Scope.Add("https://localhost/DFC7191F-FF74-42B9-A292-08FEA80F5B20/v2.0/ResourceApplication/read");
                })
                                 .ConfigureIntegratedClient(clientId);

                var client = appBuilder.Build();

                // Act & Assert

                // Navigate to protected resource.
                var goToAuthorizeResponse = await client.GetAsync("https://localhost/Home/About");

                // Redirected to authorize
                var location = ResponseAssert.IsRedirect(goToAuthorizeResponse);
                var oidcCookiesComparisonCriteria = CookieComparison.Strict & ~CookieComparison.NameEquals | CookieComparison.NameStartsWith;
                ResponseAssert.HasCookie(CreateExpectedSetNonceCookie(), goToAuthorizeResponse, oidcCookiesComparisonCriteria);
                ResponseAssert.HasCookie(CreateExpectedSetCorrelationIdCookie(), goToAuthorizeResponse, oidcCookiesComparisonCriteria);
                var authorizeParameters = ResponseAssert.LocationHasQueryParameters <OpenIdConnectMessage>(
                    goToAuthorizeResponse,
                    "state");

                // Navigate to authorize
                var goToLoginResponse = await client.GetAsync(location);

                // Redirected to login
                location = ResponseAssert.IsRedirect(goToLoginResponse);

                // Navigate to login
                var goToAuthorizeWithCookie = await client.GetAsync(location);

                // Stamp a login cookie and redirect back to authorize.
                location = ResponseAssert.IsRedirect(goToAuthorizeWithCookie);
                ResponseAssert.HasCookie(".AspNetCore.Identity.Application", goToAuthorizeWithCookie, CookieComparison.NameEquals);

                // Navigate to authorize with a login cookie.
                var goToSignInOidcCallback = await client.GetAsync(location);

                // Stamp an application session cookie and redirect to relying party callback with an authorization code on the query string.
                location = ResponseAssert.IsRedirect(goToSignInOidcCallback);
                ResponseAssert.HasCookie("Microsoft.AspNetCore.Identity.Service", goToSignInOidcCallback, CookieComparison.NameEquals);
                var callBackQueryParameters = ResponseAssert.LocationHasQueryParameters <OpenIdConnectMessage>(goToSignInOidcCallback, "code", ("state", authorizeParameters.State));

                // Navigate to relying party callback.
                var goToProtectedResource = await client.GetAsync(location);

                // Stamp a session cookie and redirect to the protected resource.
                location = ResponseAssert.IsRedirect(goToProtectedResource);
                ResponseAssert.HasCookie(".AspNetCore.Cookies", goToProtectedResource, CookieComparison.NameEquals);
                ResponseAssert.HasCookie(CreateExpectedSetCorrelationIdCookie(DateTime.Parse("1/1/1970 12:00:00 AM +00:00")), goToProtectedResource, CookieComparison.Delete);
                ResponseAssert.HasCookie(CreateExpectedSetNonceCookie(DateTime.Parse("1/1/1970 12:00:00 AM +00:00")), goToProtectedResource, CookieComparison.Delete);

                var protectedResourceResponse = await client.GetAsync(location);

                ResponseAssert.IsOK(protectedResourceResponse);
                ResponseAssert.IsHtmlDocument(protectedResourceResponse);
            }
        }