OpenAM accepts Resource Owner credentials as part of the query string
How to reproduce the issue
Configure OAuth2 provider and OAuth2 client
Perform Resource Owner Password Credential Grant flow, but specify parameter username and password as part of the query string instead of the POST body.
OpenAM should respond with an error code as the spec says
4.3.2. Access Token Request
The client makes a request to the token endpoint by adding the
following parameters using the "application/x-www-form-urlencoded"
format per Appendix B with a character encoding of UTF-8 in the HTTP
REQUIRED. Value MUST be set to "password".
REQUIRED. The resource owner username.
REQUIRED. The resource owner password.
OPTIONAL. The scope of the access request as described by
OpenAM issues access token