We are trying to implement the OAuth flow in PowerBuilder windows application using Azure AD.

When the access token is requested using the "OAuthClient" and "TokenRequest" object with the grant_type as "Autherization_code" then we are always getting response as below:

400 - BAD request - error":"invalid_grant","error_description":"AADSTS9002313: Invalid request. Request is malformed or invalid."

Above error is getting only for grant_type as "Autherization_code" and for other grant type (e.g. client_credential) it works as expected.

When the access token is requested using the "HttpClient" object then we are getting proper response and no error.

Is there any specific issue with "OAuthClient" and "TokenRequest" object and the grant_type as "Autherization_code" for access token request?

Is there any way to check what request exactly getting created using "OAuthClient" and "TokenRequest" objects for access token?

Is there any security concern or disadvantage of using "HttpClient" object for requesting the access token instead of  "OAuthClient" and "TokenRequest" object? Which one should be preferred option for the OAuth flow?

Below is the code used for creating request:

ltr_Request.tokenlocation = ls_url_1
ltr_Request.Method = "POST"
ltr_Request.granttype = "authorization_code"
ltr_Request.clientid = ls_id
ltr_Request.clientsecret = ls_secret
ltr_Request.ClearParams()
ltr_Request.AppendParam( "grant_type","authorization_code")
ltr_Request.AppendParam( "client_id", ls_id )
ltr_Request.AppendParam( "client_secret", ls_secret )
ltr_Request.AppendParam( "scope", ls_Scope )
ltr_Request.AppendParam( "code", ls_code )
ltr_Request.AppendParam( "redirect_uri", ls_Redirect )
ltr_Request.ClearHeaders()
ltr_Request.SetHeader("Content-Type","application/x-www-form-urlencoded")

li_rtn = loa_Client.AccessToken( ltr_Request, ltr_Response )

Please help here if anyone has experienced the similar issue.