Appendix A.2

[mattjm]

On the last bullet point in A.2:

• The Authorization Server issues an Authorization Code, which is exchanged for an access and refresh token before returning control to the Client.

I was under the impression the browser returns control to the client with the authorization code, and then the client uses the authorization code with the /token endpoint directly.

[aaronpk]

Yes you're correct, this is worded poorly