As of today the plugin passes the client ID and secret in the body of the request. Per the specification [0] the authorization server might not have implemented this way to authenticate so the plugin might be incompatible with some OpenID Connect (Tuleap itself included). Also, the OAuth2 Framework discourages this usage:
> Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes).
[0]
https://tools.ietf.org/html/rfc6749#section-2.3.1