diff --git a/src/client/mod.rs b/src/client/mod.rs
index 613411d..a7f8c84 100644
--- a/src/client/mod.rs
+++ b/src/client/mod.rs
@@ -154,6 +154,11 @@ impl<P: Provider> Client<P> {
             body_pairs.push(("redirect_uri", redirect_uri));
         }
 
+        if P::credentials_in_body() {
+            body_pairs.push(("client_id", &self.client_id));
+            body_pairs.push(("client_secret", &self.client_secret));
+        }
+
         let json = try!(self.post_token(body_pairs));
         let token = try!(P::Token::from_response(&json));
         Ok(token)
diff --git a/src/provider.rs b/src/provider.rs
index 4c60d5d..0bf14db 100644
--- a/src/provider.rs
+++ b/src/provider.rs
@@ -19,6 +19,13 @@ pub trait Provider {
     ///
     /// See [RFC 6749, section 3.2](http://tools.ietf.org/html/rfc6749#section-3.2).
     fn token_uri() -> &'static str;
+
+    /// Provider supports credentials via request body only.
+    /// Although not recommended by the RFC, some implementations accept client_id
+    /// and client_secret as a part of request only (most notable offender is vk.com).
+    ///
+    /// See [RFC 6749, section 2.3.1](http://tools.ietf.org/html/rfc6749#section-2.3.1).
+    fn credentials_in_body() -> bool { false }
 }
 
 /// Google OAuth 2.0 provider.