Add support for authenticating confidential client with request body params

[synasius]

We should support confidential clients authentication through request-body parameters.

Note that, as in http://tools.ietf.org/html/rfc6749#section-2.3.1 :

Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme

This should solve #52 (comment)