This is pretty bad, but I believe it is only possible to get an access token if you also allow malicious/non-trusted users to either create new OAuth client registrations (`Doorkeeper::Application` models) or modify the redirect URI of an existing OAuth client registration. The reason is that the access token is delivered over a redirect, not in the response to the form POST. Doorkeeper does check for a valid redirect URI.