The rfc explicitly requires that token is passed in body only if content type is form-url-encoded What the reason behind it? Why not permit multipart?
Workarounds:
This poses a problem for file uploads where the browser sets the content type to multiparty/form-data
The most common solution is to pass the token in the query string, which is insecure for logs or appearance in history.
The preferred method is to use the Authorization header to send the access token. The body and URL variants are in the spec to enable OAuth to clients which cannot, for some reason set the HTTP header value. In order to limit the possibilities the server would have to process the standard limits usage to only form-url-encoded. You can read some more about the problems that can arise from this in this answer: Why do we prefer Authorization Header to send bearer token to server over other techniques like URL encoding
In short - it would have been much more complicated for the resource servers in order to support receiving an access token using different content-types. I believe this the main reason behind this decision (although there might be some security implications I'm not aware of).
so generally, the best solution would be to pass the token in an Authorization header, instead of the body or URL.
