diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizationCodeAuthenticationProvider.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizationCodeAuthenticationProvider.java
index 2e9b2f278c..adfaec111e 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizationCodeAuthenticationProvider.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizationCodeAuthenticationProvider.java
@@ -65,14 +65,17 @@ public class AuthorizationCodeAuthenticationProvider implements AuthenticationPr
 		// Section 3.1.2.1 Authentication Request - http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 		// scope
 		// 		REQUIRED. OpenID Connect requests MUST contain the "openid" scope value.
-		if (authorizationCodeAuthentication.getAuthorizationRequest().getScopes().contains("openid")) {
+		if (authorizationCodeAuthentication.getAuthorizationExchange()
+			.getAuthorizationRequest().getScopes().contains("openid")) {
 			// This is an OpenID Connect Authentication Request so return null
 			// and let OidcAuthorizationCodeAuthenticationProvider handle it instead
 			return null;
 		}
 
-		AuthorizationRequest authorizationRequest = authorizationCodeAuthentication.getAuthorizationRequest();
-		AuthorizationResponse authorizationResponse = authorizationCodeAuthentication.getAuthorizationResponse();
+		AuthorizationRequest authorizationRequest = authorizationCodeAuthentication
+			.getAuthorizationExchange().getAuthorizationRequest();
+		AuthorizationResponse authorizationResponse = authorizationCodeAuthentication
+			.getAuthorizationExchange().getAuthorizationResponse();
 
 		if (authorizationResponse.statusError()) {
 			throw new OAuth2AuthenticationException(
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizationCodeAuthenticationToken.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizationCodeAuthenticationToken.java
index e3adcfecfa..68083c1748 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizationCodeAuthenticationToken.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizationCodeAuthenticationToken.java
@@ -17,6 +17,7 @@ package org.springframework.security.oauth2.client.authentication;
 
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.endpoint.AuthorizationExchange;
 import org.springframework.security.oauth2.core.endpoint.AuthorizationRequest;
 import org.springframework.security.oauth2.core.endpoint.AuthorizationResponse;
 import org.springframework.util.Assert;
@@ -35,20 +36,16 @@ import org.springframework.util.Assert;
  */
 public class AuthorizationCodeAuthenticationToken extends AuthorizationGrantAuthenticationToken {
 	private final ClientRegistration clientRegistration;
-	private final AuthorizationRequest authorizationRequest;
-	private final AuthorizationResponse authorizationResponse;
+	private final AuthorizationExchange authorizationExchange;
 
 	public AuthorizationCodeAuthenticationToken(ClientRegistration clientRegistration,
-												AuthorizationRequest authorizationRequest,
-												AuthorizationResponse authorizationResponse) {
+												AuthorizationExchange authorizationExchange) {
 
 		super(AuthorizationGrantType.AUTHORIZATION_CODE);
 		Assert.notNull(clientRegistration, "clientRegistration cannot be null");
-		Assert.notNull(authorizationRequest, "authorizationRequest cannot be null");
-		Assert.notNull(authorizationResponse, "authorizationResponse cannot be null");
+		Assert.notNull(authorizationExchange, "authorizationExchange cannot be null");
 		this.clientRegistration = clientRegistration;
-		this.authorizationRequest = authorizationRequest;
-		this.authorizationResponse = authorizationResponse;
+		this.authorizationExchange = authorizationExchange;
 		this.setAuthenticated(false);
 	}
 
@@ -66,11 +63,7 @@ public class AuthorizationCodeAuthenticationToken extends AuthorizationGrantAuth
 		return this.clientRegistration;
 	}
 
-	public AuthorizationRequest getAuthorizationRequest() {
-		return this.authorizationRequest;
-	}
-
-	public AuthorizationResponse getAuthorizationResponse() {
-		return this.authorizationResponse;
+	public AuthorizationExchange getAuthorizationExchange() {
+		return this.authorizationExchange;
 	}
 }
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/NimbusAuthorizationCodeTokenExchanger.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/NimbusAuthorizationCodeTokenExchanger.java
index c735e6a9df..480c00424e 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/NimbusAuthorizationCodeTokenExchanger.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/NimbusAuthorizationCodeTokenExchanger.java
@@ -75,7 +75,7 @@ public class NimbusAuthorizationCodeTokenExchanger implements AuthorizationGrant
 
 		// Build the authorization code grant request for the token endpoint
 		AuthorizationCode authorizationCode = new AuthorizationCode(
-			authorizationCodeAuthentication.getAuthorizationResponse().getCode());
+			authorizationCodeAuthentication.getAuthorizationExchange().getAuthorizationResponse().getCode());
 		URI redirectUri = toURI(clientRegistration.getRedirectUri());
 		AuthorizationGrant authorizationCodeGrant = new AuthorizationCodeGrant(authorizationCode, redirectUri);
 		URI tokenUri = toURI(clientRegistration.getProviderDetails().getTokenUri());
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthorizationCodeAuthenticationFilter.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthorizationCodeAuthenticationFilter.java
index 34925510aa..712c3bd54d 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthorizationCodeAuthenticationFilter.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthorizationCodeAuthenticationFilter.java
@@ -26,6 +26,7 @@ import org.springframework.security.oauth2.client.registration.ClientRegistratio
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCode;
+import org.springframework.security.oauth2.core.endpoint.AuthorizationExchange;
 import org.springframework.security.oauth2.core.endpoint.AuthorizationRequest;
 import org.springframework.security.oauth2.core.endpoint.AuthorizationResponse;
 import org.springframework.security.oauth2.core.endpoint.OAuth2Parameter;
@@ -124,7 +125,7 @@ public class AuthorizationCodeAuthenticationFilter extends AbstractAuthenticatio
 			.build();
 
 		AuthorizationCodeAuthenticationToken authorizationCodeAuthentication = new AuthorizationCodeAuthenticationToken(
-				clientRegistration, authorizationRequest, authorizationResponse);
+				clientRegistration, new AuthorizationExchange(authorizationRequest, authorizationResponse));
 		authorizationCodeAuthentication.setDetails(this.authenticationDetailsSource.buildDetails(request));
 
 		OAuth2ClientAuthenticationToken clientAuthentication =
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/oidc/client/authentication/OidcAuthorizationCodeAuthenticationProvider.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/oidc/client/authentication/OidcAuthorizationCodeAuthenticationProvider.java
index 04ebf43b6d..ca76c1d66d 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/oidc/client/authentication/OidcAuthorizationCodeAuthenticationProvider.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/oidc/client/authentication/OidcAuthorizationCodeAuthenticationProvider.java
@@ -18,8 +18,6 @@ package org.springframework.security.oauth2.oidc.client.authentication;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.oauth2.jwt.Jwt;
-import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationToken;
 import org.springframework.security.oauth2.client.authentication.AuthorizationGrantTokenExchanger;
 import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationException;
@@ -32,6 +30,8 @@ import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.endpoint.AuthorizationRequest;
 import org.springframework.security.oauth2.core.endpoint.AuthorizationResponse;
 import org.springframework.security.oauth2.core.endpoint.TokenResponse;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.oidc.core.IdToken;
 import org.springframework.security.oauth2.oidc.core.OidcScope;
 import org.springframework.security.oauth2.oidc.core.endpoint.OidcParameter;
@@ -79,14 +79,17 @@ public class OidcAuthorizationCodeAuthenticationProvider implements Authenticati
 		// Section 3.1.2.1 Authentication Request - http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 		// scope
 		// 		REQUIRED. OpenID Connect requests MUST contain the "openid" scope value.
-		if (!authorizationCodeAuthentication.getAuthorizationRequest().getScopes().contains(OidcScope.OPENID)) {
+		if (!authorizationCodeAuthentication.getAuthorizationExchange()
+			.getAuthorizationRequest().getScopes().contains(OidcScope.OPENID)) {
 			// This is NOT an OpenID Connect Authentication Request so return null
 			// and let AuthorizationCodeAuthenticationProvider handle it instead
 			return null;
 		}
 
-		AuthorizationRequest authorizationRequest = authorizationCodeAuthentication.getAuthorizationRequest();
-		AuthorizationResponse authorizationResponse = authorizationCodeAuthentication.getAuthorizationResponse();
+		AuthorizationRequest authorizationRequest = authorizationCodeAuthentication
+			.getAuthorizationExchange().getAuthorizationRequest();
+		AuthorizationResponse authorizationResponse = authorizationCodeAuthentication
+			.getAuthorizationExchange().getAuthorizationResponse();
 
 		if (authorizationResponse.statusError()) {
 			throw new OAuth2AuthenticationException(
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/AuthorizationExchange.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/AuthorizationExchange.java
new file mode 100644
index 0000000000..1c431bc96c
--- /dev/null
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/AuthorizationExchange.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.core.endpoint;
+
+import org.springframework.util.Assert;
+
+/**
+ * An &quot;<i>exchange</i>&quot; of an <i>OAuth 2.0 Authorization Request and Response</i>
+ * for the authorization code grant type.
+ *
+ * @author Joe Grandja
+ * @since 5.0
+ * @see AuthorizationRequest
+ * @see AuthorizationResponse
+ */
+public final class AuthorizationExchange {
+	private final AuthorizationRequest authorizationRequest;
+	private final AuthorizationResponse authorizationResponse;
+
+	public AuthorizationExchange(AuthorizationRequest authorizationRequest,
+									AuthorizationResponse authorizationResponse) {
+		Assert.notNull(authorizationRequest, "authorizationRequest cannot be null");
+		Assert.notNull(authorizationResponse, "authorizationResponse cannot be null");
+		this.authorizationRequest = authorizationRequest;
+		this.authorizationResponse = authorizationResponse;
+	}
+
+	public AuthorizationRequest getAuthorizationRequest() {
+		return this.authorizationRequest;
+	}
+
+	public AuthorizationResponse getAuthorizationResponse() {
+		return this.authorizationResponse;
+	}
+}