By: Travis Salyer user 21 Jan 2022 at 7:42 a.m. CST

Expected: Documentation matches the implementation for the OIDC Token Endpoint API documentation for version 4.3 Actual: The token endpoint API documentation required inputs for authorization code grant type does not match what the implementation actually validates. The documentation says that `client_assertion` and `client_assertion_type` are both required inputs and the `redirect_uri` is not required for when the `grant_type` is set to `authorization_code`. The actual code in the Gluu oxauth repository how only validates that the `authorization_code` and `redirect_uri` is present. If the API documentation is followed without looking at the source code, the request is always met with a non-descriptive 400 response. Additionally, there is little to no explanation for which request inputs are required for which grant type. Token API Endpoint Documentation: https://gluu.org/docs/gluu-server/4.3/api-guide/openid-connect-api/#openid-connect-token-endpoint Source code for token api endpoint validation: https://github.com/GluuFederation/oxAuth/blob/6320e62b49eded6023f8561ec067cbe3f5c68b2b/Server/src/main/java/org/gluu/oxauth/model/token/TokenParamsValidator.java#L40