RFC 6749#4.1.2.1 - fix order of error handling

[kiebzak]

According to https://tools.ietf.org/html/rfc6749#section-4.1.2.1, only when the redirect_uri & client_id were correct, the authorisation server should inform the client that user had denied access.

The change is to move validation of resource owner approval after the redirect_uri & client_id validation so the correct redirect url is computed.