diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index fac6940..b92b1f8 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -22,7 +22,8 @@ en:
     oauth2_json_avatar_path: "Path in the Oauth2 User JSON to the user's avatar. eg: user.avatar_url"
     oauth2_email_verified: "Check this if the OAuth2 site has verified the email"
     oauth2_overrides_email: "Override the Discourse email with the remote email on every login"
-    oauth2_send_auth_header: "Send the token as an HTTP Authorization header"
+    oauth2_send_auth_header: "Send client credentials in an HTTP Authorization header"
+    oauth2_send_auth_body: "Send client credentials in the request body"
     oauth2_debug_auth: "Include rich debugging information in your logs"
     oauth2_authorize_options: "When authorizing request these options"
     oauth2_scope: "When authorizing request this scope"
diff --git a/config/settings.yml b/config/settings.yml
index af5c701..8185e30 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -35,6 +35,7 @@ login:
   oauth2_email_verified: false
   oauth2_overrides_email: false
   oauth2_send_auth_header: true
+  oauth2_send_auth_body: true
   oauth2_debug_auth: false
   oauth2_authorize_options:
     default: 'scope'
diff --git a/plugin.rb b/plugin.rb
index 5c9632c..10ac583 100644
--- a/plugin.rb
+++ b/plugin.rb
@@ -102,9 +102,18 @@ class ::OAuth2BasicAuthenticator < Auth::ManagedAuthenticator
                         }
                         opts[:authorize_options] = SiteSetting.oauth2_authorize_options.split("|").map(&:to_sym)
 
-                        if SiteSetting.oauth2_send_auth_header?
+                        if SiteSetting.oauth2_send_auth_header? && SiteSetting.oauth2_send_auth_body?
+                          # For maximum compatibility we include both header and body auth by default
+                          # This is a little unusual, and utilising multiple authentication methods
+                          # is technically disallowed by the spec (RFC2749 Section 5.2)
+                          opts[:client_options][:auth_scheme] = :request_body
                           opts[:token_params] = { headers: { 'Authorization' => basic_auth_header } }
+                        elsif SiteSetting.oauth2_send_auth_header?
+                          opts[:client_options][:auth_scheme] = :basic_auth
+                        else
+                          opts[:client_options][:auth_scheme] = :request_body
                         end
+
                         unless SiteSetting.oauth2_scope.blank?
                           opts[:scope] = SiteSetting.oauth2_scope
                         end