The second format is the correct one from what I know.
As I did not use Ping myself I just found this on their website about the fields:
Hopes this help!
Thanks Jeremie, we eventually traced it to the Token Endpoint Authentication Method setting in Ping, this needs to be set as Client Secret Post as this is the only (client secret) method that is appears the OIDC SSO module uses. We had (mistakenly) focused on the ‘Basic’ method to start with as we tried to keep the solution simple to start with.