Unable to autodetect auth style in golang/oauth2

[pomdtr]

When using a post request (ex: in the /token endpoint), some oauth providers expects the client_id and client_secret to be passed in the form data, while others use a client_id url param and an authorization header for the client_secret.

In order to support both styles, the golang oauth client first send a request using the url param method, then it fallback to the form data method.

However, openauth delete the oauth:code when the first request fails, meaning that the second one will fail too.

https://github.com/toolbeam/openauth/blob/63dc1da64d8458824184593e11b4b33c3c4cd6f5/packages/openauth/src/issuer.ts#L833

I propose to only delete the oauth code when the tokens are actually emitted.

[thdxr]

would take a PR for this

[pomdtr]

I created one: #232

Basically the fix is to only delete the oauth:code in the db before returning the token, not on failed validation checks.