OAuth2 endpoints should return an error when multiple client authentication methods are used
If both valid HTTP Basic Authentication credentials and ‘client_id’/’client_secret’ form parameters’ are sent by the client, no error is returned.
The RFC6749 (section 5.2) indicates that an error message must be returned with 400 (Bad Request) HTTP status code + error code ‘invalid_request’
RFC6749
The request is missing a required parameter, includes an unsupported parameter value (other than grant type), repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed.