client_id (and secret) present in both header and body

[ctron]

Despite the fact that there is a drop down for choosing where to put the client_id/client_secret combination, the information is always put into both places: authorization header and body.

headers:

POST /realms/foo/token HTTP/1.1
[…]
authorization: Basic ZnJvbnRlbmQ6
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
[…]

body:

grant_type=authorization_code
client_id=frontend
client_secret
redirect_uri=http://localhost:8080/rapidoc/oauth-receiver.html
code=rBjGcG9NH3xanreyW9J6Nw==
code_verifier=731DB1C3F7EA533B85E29492D26AA-1234567890-1234567890

In this case, this leads to the situation that the backend refuses for issue that token, as two credentials seem to be present.

[mrin9]

I am unable to recreate this in out sample test case https://rapidocweb.com/examples/auth.html. in v9.3.6 If you like to reopen this issue please provide me with a sample spec