In the /authorize request you need to follow our docs here
Each value for
response_mode delivers different behavior:
form_postsends the token response as a form post instead of a fragment encoded redirect . In this mode, Authorization Response parameters are encoded as HTML form values that are auto-submitted in the User Agent, and thus are transmitted via the HTTP POST method to the Client, with the result parameters being encoded in the body using the application/x-www-form-urlencoded format. The action attribute of the form MUST be the Client's Redirection URI. The method of the form attribute MUST be POST.
fragment- Parameters are encoded in the URL fragment added to the
redirect_uriwhen redirecting back to the client. For web applications, we recommend using
response_mode=form_post, to ensure the most secure transfer of tokens to your application.
Several merchants and integrator have reported their OpenID processes not to redirect to the correct URL, and for these it has been identified that
form_post mitigates this issue.
If you are able to exchange codes and tokens using
fragment that is also ok. MobilePay supports both.