Client authentication of oauth spec indicates the following in section 2.3.1:
Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme (or other
password-based HTTP authentication schemes).
I don't understand the reason why this is not recommended. How is Http Basic Auth better than this approach? Can some one explain?
The POST request parameters are really OAuth 2.0 specific and would typically end up in application layers and server/application logs, whereas HTTP Basic authentication is generic and pretty widely deployed on lower infrastructure levels (i.e the systems's HTTP stack) hopefully with some security measurements around them already in place.
Thus its value may be consumed and removed by the HTTP server itself and prevent it from creeping up to higher level and potentially less secure/trusted applications and their log files.