Is this instance an on-prem/hosted instance? If so, is it using a custom SSO plugin? If so, is that plugin using a /** pattern and/or running for the /oauth* service paths?
The only thing that makes sense is if you answered yes to all of these questions. If so, you need to make sure that your SSO filter doesn't run on /oauth* ... and you need to make sure that if you are relying on the browser to authorize that their is an active session in place for that flow so an identity can be paired to the token. Otherwise, you will need to login to finalize the authorization.