> * **Requesting an access token**
… As can be seen from the RFC, the grant_type, code, redirect_uri and client_id are required parameters. client_secret is also required to allow the client to authenticate with the authorization server.
However, in the RFC it is mentioned that:
> * **4.1.3. Access Token Request:**
REQUIRED, **if** the “redirect_uri” parameter was included in the
authorization request as described in Section 4.1.1, and their
values MUST be identical.
Where in 4.4.1:
> * **4.4.1 Authorization Request**:
OPTIONAL. As described in Section 3.1.2.
So finally unlike OpenAm documentation, in the “Access Token Request” the redirect_uri should only be required if it was present in the “Authorization Request”.
I did not have the chance to test how it is really implemented, but from the documentation, I can say this is something to fix