We’re trying to authentication with an OAuth 2.0 server, using the “Client Authentication” model of “Send as Basic Auth header”. The problem that we are seeing, is that even under this option, the
client_id value is sent in the body of the token exchange, as well as the
Basic HTTP authorization value.
My understanding of the RFC6749 specification is that, when using the
Basic authentication, the
client_id value is not required in the body. It appears out OAuth 2.0 server is expecting that both values are provided in the request body, or both are provided in the
Basic header value (referencing section 2.3.1 of the standard).
Is my understanding correct? Is Postman generating a flawed token exchange request, or is the authorization server being too restrictive in the requests being made?