introspect() sends client credentials in both Authorization header and POST body when using client_secret_basic

[Baoyuantop]

Description

When introspection_endpoint_auth_method is set to client_secret_basic, the introspect() function sends client_id and client_secret in both the Authorization header and the POST body. This violates RFC 6749 §2.3.1 and causes strict OAuth 2.0 authorization servers (e.g. Authelia) to reject the request with invalid_client.

Root Cause

In lib/resty/openidc.lua, the introspect() function unconditionally adds credentials to the POST body (lines 1793-1798):

if opts.client_id then
  body.client_id = opts.client_id
end
if opts.client_secret then
  body.client_secret = opts.client_secret
end

Then call_token_endpoint() adds them again to the Authorization header when auth method is client_secret_basic (lines 450-458):

if auth == "client_secret_basic" then
  headers.Authorization = "Basic " .. b64(ngx.escape_uri(opts.client_id) .. ":" .. ngx.escape_uri(opts.client_secret))
end

This differs from other code paths like openidc_authorization_response(), which correctly delegates all credential handling to call_token_endpoint() without pre-populating the body.

Expected Behavior

When introspection_endpoint_auth_method is client_secret_basic, credentials should only appear in the Authorization header, not in the POST body.