Apply the RFC 9207 iss authorization-response validation to a captured
loopback redirect, given the selected authorization server's metadata.
Returns the capture unchanged when iss is acceptable; otherwise clears the
authorization code and records an invalid_iss error so the capture's
ok is false and the caller rejects it. The validation runs regardless of
any returned error/error_description, which are not acted on, mirroring
the two-arg OAuthClient.authorizeAndGetCode(as_, ...) overload.
Apply the RFC 9207 iss authorization-response validation to a captured loopback redirect, given the selected authorization server's metadata. Returns the capture unchanged when iss is acceptable; otherwise clears the authorization code and records an invalid_iss error so the capture's ok is false and the caller rejects it. The validation runs regardless of any returned error/error_description, which are not acted on, mirroring the two-arg OAuthClient.authorizeAndGetCode(as_, ...) overload.