After calling /oauth2/authorization, the AuthorizationRequest are stored in AuthorizationRequest#requests which is a static Map.
When calling /oauth2/token, we retrieve the AuthorizationRequest from the Map given the authoriation code.
=> If the call /oauth2/token is done on another node, the AuthorizationRequest does not exist.
AuthorizationRequest should probably be stored in Redis to avoid any issue.
The bug has been fixed in 9.2 thanks to
NXP-22329. Now we need a solution for 7.10 (and 8.10 if the customer moves to LTS 2016).