Comment by hvb2

> and are facing a broken OAuth implementation.

Or didn't bother to read the spec to understand why it's non trivial. Things like this are complex because attacks will force it to be.

Also, the broken implementation might be an OIDC implementation that doesn't support client_credentials for example. Seen that many times and that does make it rather awkward to implement a server to server flow...