OAuth2.0 refresh without Basic authentication header

Hi all,
Following the fix (thanks for that!) of Issue #11559 I’m revisiting getting my Collection to automatically refresh my OAuth2 token when it’s expired.

I can now put client_id in the refresh payload using the new ‘advanced’ section, but I’m still getting an ‘invalid_client’ error. I duplicated the call from the console into a new request, and discovered that the problem is that the request performed by Postman’s refresh code has an Authorization header (Basic auth of {{client_id}}:{{client_secret}}; if I remove that header and just send the body:

refresh_token: <refresh_token>
grant_type: 'refresh_token'
client_id: '<<my client_id>'

then I get a new token correctly returned.
I must be missing something here: how can I NOT send an Authorization header? I can’t see an option to turn it off. The target generating the token is an AWS Cognito provider, and I can’t change its options because it’s used by a bunch of other services.

New tokens are generated using Grant Type=‘Authorization Code’ so it pops up a browser to authenticate, so I shouldn’t need to send any auth header, right?

Thoughts? I’m sure it’s operator error but I can’t figure out where…