Disallowing HTTP query parameters for client_id/client_secret with authorization_code grant_type

[TomNaessens]

Hi all, 👋

I was looking into some of our logs, and noticed that some clients were using HTTP query parameters to pass along the client_id and client_secret as opposed to sending them in the POST body. Looking at the OAuth2 spec, this is a "must not" use of authenticating the client:

Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme (or other
password-based HTTP authentication schemes). The parameters can only
be transmitted in the request-body and MUST NOT be included in the
request URI.

Local testing confirms that Doorkeeper accepts both POST body parameters, as HTTP query parameters in the url. I kind of get why this is "allowed" here: Rails doesn't really care if you send params through HTTP query parameters, or through the url encoded body params. They all just end up as "params" when parsing those (source).

Is this something that's been discussed or looked into? I tried to find any documentation or issues on this topic, but I was unable to find anything. It's likely that I've missed something though!