I am working with OAuth in my ASP.NET API for a web app + mobile app, anyway lets use Google as an example here the user authenticates using the Google provider then Google calls my API and I issue a redirection to my web app / go back to mobile app.

When I authenticate with email using my own API, I typically send the refresh token and access token in API response, but since there is a redirection this is not allowed.

My question is: how do I handle sending tokens in OAuth while redirecting?

This is the method used for redirection:

[HttpGet("signin-google")]
[AllowAnonymous]
public async Task<IActionResult> GoogleResponse([FromQuery] string returnUrl, CancellationToken cancellationToken)
{
    var authenticateResult = await HttpContext.AuthenticateAsync(GoogleDefaults.AuthenticationScheme);

    if (!authenticateResult.Succeeded)
        return BadRequest("Google authentication failed.");

    var claims = authenticateResult.Principal.Identities.FirstOrDefault()?.Claims;
    var email = claims?.FirstOrDefault(c => c.Type == ClaimTypes.Email)?.Value;
    // var ipAddress = HttpContext.Connection.RemoteIpAddress.MapToIPv6().ToString();

    if (string.IsNullOrEmpty(email))
        return BadRequest("Email not found");

    var result = await _authenticationService.SignInWithProviderAsync("google", email, cancellationToken);

    return result.Match<IActionResult, SignInResponse>(success =>
    {
        return Redirect("http://localhost:3000");
    }, BadRequest);
}