In the example/application.rb the expected initial request as given in the commented line is:

# /oauth/authorize?response_type=token&client_id=...

With RFC 6749 section 4.1.1 , the only allowable response_type is code.

I'm using Omniauth-OAuth2 which seems to adhere to the current RFC standard which won't allow the response_type to be changed to anything else. This has affected the flow in the example/application.rb.

Reference: http://stackoverflow.com/questions/6354262/omniauth-cant-change-response-type-to-token-in-strategy

This library implements draft-10, which allows code, token, and code_and_token. The RFC allows code and token -- see section 3.1.1.

Noted that. Thanks for the clarification.