(Ops seems I didn't press "Save", here's my comment auto-saved)
Hi Mark,
Yes I did try using "Request Body" as I couldn't make it work using Auth Basic, even when building my own request.
About endpoint documentation, I've analyzed the OTK code and yes client_secret is mandatory also there which could be, IMHO, a mistake in actual implementation as per the "Resource owner Password Credentials" scheme.
Nevertheless I've submitted a request for enhancement, let's find out what devs think about this.
Regards,