Authenticate clients with form parameters
Clients that have a client secret can send the client ID in the
client_id form parameter
and the secret in the
client_secret form parameter in the body of the request.
$ curl \ --request POST \ --data "client_id=myClient" \ --data "client_secret=forgerock" \ …
This is the simplest way to authenticate to any of the OAuth 2.0 endpoints, and the most insecure, since the client credentials are exposed. Ensure that communication with the authorization server happens over a secure protocol to protect the secret, and use this method in production only if the other methods are not available for your client.
OpenID Connect clients must also specify the authentication method they are using in their client profiles. See OpenID Connect client authentication.