stoplightio
Bug report: OAuth2 Password Credentials grant sends both header & body
When choosing the "Password Credentials" grant for OAuth2 token fetching, the option "Client Authentication" is shown. The option "Send client credentials in body" adds ClientID and ClientSecret to the request body, as expected.
The option "Send as Basic Auth header" adds a base64 hash of ClientID and ClientSecret to an Authorization header (also as expected). But: they are also still added to the request body. This leads IDP software (in this case Okta) to complain that ClientID is sent multiple times, with errors:
Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_assertion in the post body.
See also these screenshots:
Any updates on this? This is pretty much a blocker for our API testing with Stoplight...