OAuth token endpoint returns 500 instead of 400 when authorization_code is missing code

[MagicShoebox]

app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions { TokenEndpointPath = "/token" });

irm -Method POST -Body @{ grant_type = "authorization_code" } https://localhost:8080/token

This returns 500 instead of 400.

OAuthAuthorizationServerHandler.InvokeTokenEndpointAuthorizationCodeGrantAsync() triggers an ArgumentNullException on line 489 when it tries to construct an AuthenticationTokenReceiveContext with a null token (tokenEndpointRequest.AuthorizationCodeGrant.Code).

I'm not quite sure why AuthenticationTokenReceiveContext throws this exception. I think it (and its consumers) should probably handle the case where token is null. Alternatively, InvokeTokenEndpointAuthorizationCodeGrantAsync() should check that a code was provided. Happy to open a PR given guidance on which approach to take.

[MagicShoebox]

I believe this also affects grant_type refresh_token when no token is provided.

[Tratcher]

UseOAuthAuthorizationServer has been considered obsolete for many years, you should find another auth server.