OK, I don't know if anyone can help on this.

The user making use of these endpoints, they tried to log in on Celestial twice - once receiving a 200 OK with url encoded response, and another 400 Bad Request which is likely because the code Celestial sent to Known's token endpoint could not be verified.

Other than maybe the user refreshing the page to try again (and thus causing code re-use), is there any reason for this to fail?

https://github.com/idno/indiepub/blob/master/Pages/IndieAuth/Token.php#L76