Nothing like a request to /oauth/token in my production log (just emptied it before trying to create a team). The whole process is something like :
Started GET "/oauth/authorize
...
Started POST "/oauth/authorize"
...
Redirected to http://mattermost.mydomain.com/signup/gitlab/complete
Completed 302 Found in 71ms (ActiveRecord: 46.8ms)
The only reference to a token I can found is the "authenticity_token" parameter of the POST /oauth/authorize :
Processing by Oauth::AuthorizationsController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", ....