OAuth2Provider:: issueAccessToken() and OAuth2Provider::authorize() handle errors mostly the same except that issueAccessToken() includes a JSON body describing the error and authorize() doesn't. Is there a particular reason for not including the JSON body for authorize() errors? If not I'll submit a pull request with that fixed.

We support the Bearer Token, about error code is written as follows:

http://tools.ietf.org/html/rfc6750#section-3.1

The specification had not been specified for the error response body.

However I can find the specification of Issuing an Access Token in RFC6749.
Yet I can't find the specification of Accessing Protected Resources in RFC6749.

So, we should support only OAuth2Provider:: issueAccessToken to include error JSON in error response body?

Yes you're right, I hadn't noticed that the spec. only calls for the response body for errors when issuing tokens. Thanks.