client id not being verified in RP tests

https://www.certification.openid.net/log-detail.html?log=xZ78z6IOUd98OD5 shows that the RP has the wrong client id configured, but it doesn't fail until the RP presents an request object with an incorrect iss.

It should have failed at the client credentials grant at the token endpoint, when the incorrect client_id was specified.

The rules for client_id (as relevant for the two types of client auth allowed in FAPI) are:

private_key_jwt: client_id is optional, but if present must be correct ( https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1 )

mtls: client_id is required and must be correct ( https://datatracker.ietf.org/doc/html/rfc8705#:~:text=the%20client%20MUST%20include%20the%20%22client_id%22%0A%20%20%20parameter%20described%20in%20Section%202.2%20of%20OAuth%202.0%20%5BRFC6749%5D. - that link should highlight the relevant sentence, but probably only in Chrome, Safari doesn't support this yet)