Allow `client_id` to be provided in Authorization header
A number of OAuth2 clients prefer to send the client_id
in the
Authorization
header with HTTP Basic auth, instead of in the request
body.
To make it easier to interoperate with these clients, we can pull the
client_id
out of the Authorization
header and prefer it over a
client_id
in the request body, in case multiple are sent.
This is made easier using the httpBasic
support for MockMVC with
spring-security-test.
This may be added to the IndieAuth spec (https://github.com/indieweb/indieauth/issues/76)
Closes #309 (closed).