This is a bug I believe, and it took me 2-3 days to figure it out. Please do the following to get it working,
1) Remove the "?api-version=1.0" from your URL. I know it sounds strange but trust me their documentation is a mess.
2) Add a "Content-Type": "application/x-www-form-urlencoded" header in your request (hence you‘ll have to encode the post data values ... for example redirect_url=(encodedURL) etc
3) Remove unnecessary fields from post data REFER ... it should be like
{ ‘grant_type‘: "authorization_code", ‘resource‘: "your resource", ‘client_id‘: "your client Id", ‘redirect_uri‘: "your redirect URL", ‘client_secret‘: "your client secret", ‘code‘: "the code u got" }
I see you have done point 2 so you‘ll need to do point 1 and you‘re good to go.
Furthermore, if you want to get access_token quickly(if nothing I said works for you), then pass "client_credentials" in grant_type and you‘ll get a smaller response with access_token. But if you want the complete response with refresh_token as well, you‘ll have to do all those steps.
EDIT: There is one more mistake in their documentation, for Refresh Tokens >>> the URL should be oauth2/token and NOT oauth2/authorize
