Sharebar?

Security Framework - Client Credentials Grant - Must not put scopes in body?

Security Framework - Client Credentials Grant - Must not put scopes in body?

Security Framework v1.0 section 4.1 (Using OAuth 2.0 Client-Credentials Grant) insists that scopes must not be included in the request body:

Requests for an access token use an HTTP POST and TLS. The Consumer MUST use its key and secret with the HTTP Basic Authentication method (as described in [RFC2617]) for this request and MUST NOT put its key, secret and list of scopes into the request body.

For HTTP Basic Authentication, the key and secret must be delivered in the header. However, the grant type and list of scopes are placed in the request body in the subsequent example:

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&scope=scopename1%20scopename2%20scopenamex

Is the documentation mistaken when it states that scopes MUST NOT be put in the request body?
Otherwise, what HTTP header should I use to set the list of requested scopes?