Here is raised the hypothesis:
A direct post response is both a grant and a code that give access to further presentations / issuance, always prepend with an authentication
Note:
As going on in the research, we can notice that we cannot keep state in direct post requests while having a possible last step active session