As described here, we are trying to save an AppEndUser in our authorization codes. We want to save this when creating an authorization code, because we want to control it's value and not let 3rd parties do this when exchanging the auth code for an access token. When exchanging this auth code for an access token, we expect this value to carry over, just like the other properties in the auth code.

Our policy looks like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="GenerateAuthorizationCode">
    <DisplayName>GenerateAuthorizationCode</DisplayName>
    <Attributes>
        <Attribute name="company_uuid" ref="request.queryparam.company_uuid" display="true"/>
        <Attribute name="employee_uuid" ref="request.queryparam.employee_uuid" display="true"/>
        <Attribute name="shop_id" ref="request.queryparam.shop_id" display="true"/>
        <Attribute name="locale" ref="request.queryparam.locale" display="true">nl-NL</Attribute>
    </Attributes>
    <AppEndUser>request.queryparam.company_uuid</AppEndUser>
    <Operation>GenerateAuthorizationCode</Operation>
    <GenerateResponse enabled="true"/>
</OAuthV2>

However, when I get the authorization code information through this endpoint the AppEndUser is missing. Obviously, it's thereafter also missing from the access token where the auth code was exchanged for. The company_uuid attribute, which is using the same query parameter, is filled in correctly.

Because the example in the documentation was specifically for saving the AppEndUser in the access token, I was wondering if it's actually supported for the GenerateAuthorizationCode operation. The documentation doesn't explicitely confirm or deny this, and according to this answer it is supported.

I've also tried to add the AppEndUser configuration to the GenerateAccessToken operation, which does work as expected.

So my question is: Is this really supported, and if so, does anyone have an idea what's going wrong?