#aaronpkbut i would like to make it so authorization codes are always sent to the token endpoint regardless of whether an access token is returned so that it better matches oauth and also so that the responses from the two endpoints are more consistent