v4: Add configuration for client authentication using HTTP Basic Auth

[SiebelsTim]

Checklist

• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

In v3 client authentication was using HTTP Basic Authentication. In v4, this changed and is not configurable.

The OAuth2.0 specification states (https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1)

Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme (or other
password-based HTTP authentication schemes).

Describe the ideal solution

I think we should default to Basic Auth as described in the OAuth spec. If using the client_secret in body is needed, we could add a configuration parameter.

Alternatives and current workarounds

No response

Additional context

A change should be listed in the migration document. Preferably no breaking change.

[guabu]

Hey @SiebelsTim 👋 The default token endpoint authentication method for a new client created via the Dashboard is client_secret_post so we tried to be consistent with that. OAuth 2.1 amends the recommendation:

Including the credentials in the request body content avoids the encoding issues and leads to more interoperable implementations