Starting from the bottom, as per the OAuth 2.0 specification:
The client MUST use the HTTP "POST" method when making access tokenrequests.
(source: section 3.2. The OAuth 2.0 Authorization Framework)
so this explains why navigating to the request URL in a browser will fail (navigating issues a GET and only POST requests are supported).
The next point, is the client authentication, more specifically, how you provide the client_id and client_secret parameters so that the server can validate you're a trusted client application. Again, per the spec, there are two ways this information should be passed:
- Through HTTP Basic authentication scheme as defined in [RFC2617] where the client identifier is passed as the username and the client secret is passed as the password. This method must be supported by an OAuth compliant server and is also the recommended way of doing it.*
- By including the client credentials in the request-body, usually encoded as
application/x-www-form-urlencoded(see example below). This method is optional and may not be available in some OAuth servers.
Example of passing client credentials in the request body:
POST https://YOUR_NAMESPACE/oauth/token Content-type: application/x-www-form-urlencodedclient_id=YOUR_CLIENT_ID&redirect_uri=http://YOUR_APP/callback&client_secret=YOUR_CLIENT_SECRET&code=AUTHORIZATION_CODE&grant_type=authorization_code(source: step four of OAuth Web Application Protocol, click Plain Links in step two to see all the raw HTTP requests in a full authorisation code grant flow)
Now, for the Feedly use case I could not find anything in there documentation about supporting HTTP basic authentication. They do say the following about the parameters required to exchange a code for an access token:
Note: these parameters can either be passed in the URL, as form values, or in a JSON document. If you use a JSON document, make sure you pass the “Content-Type: application/json” header in the request.
(source: Exchanging an auth code for a refresh token and an access token)
One thing that's surprising is that they seem to allow to pass the client credentials in the URL itself, which is something the OAuth specification clearly forbids:
The parameters (client_id and client_secret) can only be transmitted in the request-body and MUST NOT be included in therequest URI.
(source: section 2.3.1. The OAuth 2.0 Authorization Framework)
In conclusion, according to their documentation what you're doing it (passing the parameters in the URL itself) should be possible, unless the documentation is not up-to-date and they already fixed the non-compliance with the specification and no longer support this.
Additionally, there are few things that you're doing that seem wrong. The code parameter is never passed in the Authorisation header, so unless you want to try to pass the client credentials in that header using Basic authentication I would suggest for you to remove this header.
I would also remove the Accept-Encoding header as their docs do not mention supporting anything other than returning a JSON response. If you want to maintain that header, change the value from gzip to application/json.
Finally, you're also not sending any data in the request body, so you may want to also remove the Content-Type header because Feedly might think that if this header is present then the data is on the request instead of the URL.