...
By default, the OP only supports the grant types needed for the OIDC functionality (authorization_code and refresh). This feature relies on a third type, client_credentials. You will need to either enable that globally via the idp.oauth2.grantTypes property, or on a specific instance of the OAUTH2.Token profile configuration bean (which also needs to be added to at least one of the profile configuration collections in relying-party.xml in order to support this use case).
...