What is the problem with that? You know that the client credentials flow will normally just send the exact same information, principal and secret, in the form, right? How is sending a header with the information bad, specially when it was being done for ages already in this use case?
brabel|1 year ago
grayhatter|1 year ago
leeches
(To actually answer your question, there are a number of tricks you can use to prevent abuse that aren't effective when using http basic)