1.30.1
This is quite an old version of FusionAuth, just FYI.
Why FusionAuth calls IdP's /oauth2/token before it calls my callback if it does not keep access/refresh tokens?
FusionAuth does keep the refresh token.
What is this 43-character code FusionAuth sends to the callback if I can't use it for anything? Most importantly, I can't use it for fusionauth.io/api/identity-provider/login.
The login API and the Authorization code grant are two separate ways of logging the same user in. They have different strengths and weaknesses, but in general you can't move between them.
You should be able to provide that 43 character code to the /oauth2/token endpoint and get back a response.
Hope this helps!