ACCESS_TOKEN_METHOD should default to POST instead of GET

[severi]

According to the RFC (https://tools.ietf.org/html/rfc6749#section-3.2) the client MUST use POST method when making access token requests. The default value for ACCESS_TOKEN_METHOD conflicts with this (at least with OAUTH2).

https://github.com/python-social-auth/social-core/blob/563d0e5e97e9c5e6289609d09d2e7bf7c2f3165d/social_core/backends/oauth.py#L31

[collinpreston]

@omab This seems to still be an issue. Especially when trying to configure OIDC with Authentik

[davidhalter]

The generic OIDC backend does not have this issue, because it overrides the ACCESS_TOKEN_METHOD. Note that changing this might have quite a few repercussions for other backends, because they subclass the OAuth2 backend. So maybe we should at least warn people that this has been changed.

However, I'm definitely for changing this one, because we should always adhere to the RFCs.

[nijel]

I agree. Actually, most backends do override ACCESS_TOKEN_METHOD. There are few backends which subclass from BaseOAuth2 and do not override ACCESS_TOKEN_METHOD though, so they are currently using GET.