We’re trying to authentication with an OAuth 2.0 server, using the “Client Authentication” model of “Send as Basic Auth header”. The problem that we are seeing, is that even under this option, the client_id value is sent in the body of the token exchange, as well as the Basic HTTP authorization value.
My understanding of the RFC6749 specification is that, when using the Basic authentication, the client_id value is not required in the body. It appears out OAuth 2.0 server is expecting that both values are provided in the request body, or both are provided in the Basic header value (referencing section 2.3.1 of the standard).
Is my understanding correct? Is Postman generating a flawed token exchange request, or is the authorization server being too restrictive in the requests being made?