Previously these specs passed incorrect parameters to both the authorization_code
and client_credentials grant flows.
The authorization_code flow does not accept a `scope` parameter, instead the scope
is set when the access grant is created, per RFC 6749 Section 4.1.2. The `code`
parameter is accepted by this flow.
https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2
The client_credentials flow does not accept a `code` parameter, and instead accepts
a `scope` parameter, per RFC 6749 Section 4.4.1
https://www.rfc-editor.org/rfc/rfc6749#section-4.4.1
This ensures we're only testing valid oauth flows, and not deviating from the
specification. The OAuth flows should ignore any unknown parameters (i.e., passing
`code` to client_credentials would have no impact on the functionality, and this
would be asserted at the Doorkeeper level).
