I tried doing the same thing you're doing, using both basic auth headers to pass in username and password while using url encoded form body to pass in client ID and secret. I discovered that the problem was ClientSecretBasicAuthenticationConverter

If this converter is configured (which it is by default), it will extract your username and password and save it as the client id and secret for subsequent code to process. This causes the invalid client error.