Response code when `Authorization` header or `client_id` is missing

[chervand]

AbstractGrant throws 400 Bad Request in case it's not able to retrieve client_id from the request while validating client. Wouldn't it be better to return 401 Unauthorized in case no client credentials are provided?

https://tools.ietf.org/html/rfc6749#section-5.2

invalid_client Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.

https://tools.ietf.org/html/rfc2617#section-3.2.1

If a server receives a request for an access-protected object, and an acceptable Authorization header is not sent, the server responds with a "401 Unauthorized" status code ...