REDIRECT_URI must match the setting for the APPLICATION:
The redirection endpoint URI MUST be an absolute URI as defined by [RFC3986] Section 4.3. The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per Appendix B) query component ([RFC3986] Section 3.4), which MUST be retained when adding additional query parameters. The endpoint URI MUST NOT include a fragment component.
The scope of the access request
The value is included when redirecting the user-agent back to the client
STATE is a control string that must be validated by the client
Generated by Odoo.
Must be included later in a token request LINK
Not reusable (can be used once)
REQUIRED. The authorization code generated by the authorization server.
The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once.
If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.
The authorization code is bound to the client identifier and redirection URI.
REQUIRED if the "state" parameter was present in the client authorization request.
The exact value received from the client in the request
The remote application should validate if state is same as it was sent