Ok I also opened https://jira.springsource.org/browse/SECOAUTH-360
Now that I look at it, OAuth2 spec requires parameters to be given as "application/x-www-form-urlencoded" in request body. It should ignore URL parameters. Current implementation happily accepts URL parameters, maybe it even requires them (I didn't test yet in the proper way).
How can I configure module to ignore URL parameters?