The RFC for Oauth2 says the redirect_uri which was specified when generating the authorization code must be included in the request to exchanging the code for an access token.
From the RFC:
4.1.3. Access Token Request
The client makes a request to the token endpoint by sending the following parameters using the "application/x-www-form-urlencoded" format per Appendix B with a character encoding of UTF-8 in the HTTP request entity-body:
[...]
redirect_uri
REQUIRED, if the "redirect_uri" parameter was included in the authorization request as described in Section 4.1.1, and their values MUST be identical.
https://tools.ietf.org/html/rfc6749#section-4.1.3
Why is the redirect_uri required when exchanging the code for an access token? What benefit does this provide?
