I can't figure out if oAuth 2.0 server should revoke old Authorization Codes (not Authorization Tokens) when new code requested? Also I can't figure out in what format oAuth server should show the error if valid redirect_uri parameter not specified neither registered in app settings.
Thank you for helping me understand this RFC.