ProtocolRequest.ClientCredentialStyle default value does not match rfc6749

[royvandertuuk]

According to rfc6749, authentication via headers is recommended.

"Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme"

The reasoning behind the recommendation is:

• Every authorization server MUST support the HTTP Basic authentication scheme, therefore it should work with every authorization server that follows the specification
• Authorization headers are recognized and specially treated by HTTP proxies and servers. Thus, the usage of such headers for sending client credentials to resource servers reduces the likelihood of leakage or unintended storage of these credentials

https://tools.ietf.org/html/rfc6749#section-2.3.1

Therefore I think the AuthorizationHeader.AuthorizationHeader is a better default for ProtocolRequest.ClientCredentialStyle.
Can this be changed?

[leastprivilege]

Technically speaking? of course.

The reason we default to body was that historically many AS had (or have) a wrong implementation of the header method - since it is not HTT basic authentication - but a slight variation.

Maybe these problems are ironed out today so we can re-visit this for the next major version (since this is a behaviorial breaking change).

[royvandertuuk]

Thanks for clarifying the reasoning behind the current default value.
Would be nice to have this in identityModel 6.0 so the default will use the safest authentication method.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. If you have any further concerns, please open a new issue.