After creating the Session, the Clientreads the available UserTokenPoliciesfrom the AuthorizationService Objectif it has not previously cached the information.It then chooses one that references an Identity Providerfor the user identities that it has available. The user identities may be provided out-of-band or they may be provided by an interactive user. The Clientthen requests an Access Tokenfrom the Identity Provider.
The Authorization Serverdetermines if the Clientis permitted to receive an Access Tokenbased on the claims granted by the Identity Provider. The rest of the interactions are the same as described in 9.2.