/token endpoint should validate redirect_uri matches

[praboud-ant]

Describe the bug
The /token endpoint doesn't check that the redirect_uri provided in the request matches the redirect_uri originally provided in the /authorize request, which is required by https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3.

redirect_uri: REQUIRED, if the "redirect_uri" parameter was included in the authorization request as described in Section 4.1.1, and their values MUST be identical.

This seems like a problem with the way the AuthProvider interface is designed - the only method the provider can expose is challengeForAuthorizationCode, so there's no way for the provider to tell the SDK what redirect_uri was originally provided. Fixing this will require a change to the interface (and the cleanest way to fix it is a breaking change), so we should probably fix this before too many integrations grow around the existing AuthProvider interface.

To Reproduce
Steps to reproduce the behavior:

1. Make an /authorize request
2. Make an /token request with a different redirect_uri; this returns a successful response.

Expected behavior
The /token request should return an HTTP 400 with error=invalid_grant (https://datatracker.ietf.org/doc/html/rfc6749#section-5.2).

[windro-xdd]

I'd like to take this. I'll enforce redirect_uri matching between /authorize and /token per RFC 6749 section 4.1.3, with regression tests for mismatch and missing redirect_uri cases.