> But I was expecting a page asking to authenticate before recovering the token ...
>
Are you logged into your Gluu Server when testing? If you already have a session in the Gluu Server, it will bypass authentication, i.e. single sign-on (SSO). Make sure you are logged out and then test. The redirect to the authorization endpoint will prompt for login.