I can't figure out if oAuth 2.0 server should revoke old Authorization Codes (not Authorization Tokens) when new code requested? Also I can't figure out in what format oAuth server should show the error if valid redirect_uri parameter not specified neither registered in app settings.
Thank you for helping me understand this RFC.
As far as I know, your questions are not covered by the specs, so the answers below reflects only my personal opinion on a practical implementation.
A client may legally request several authorization codes with different scopes. You can argue if this makes sense (though I think it does), but the standard does not forbid it. Consequently, I think old codes should be revoked only if a client resends a request (i.e. with exactly the same request details: client id, redirect uri, scopes).
For missing redirect_uri, servers should return HTTP 400 Bad Request and include error details in the message body (and/or appropriate HTTP headers).
