On the OAuth guide for The Authorization Response says the redirect has to be attached with an invalid_request error query string parameter when:

invalid_request – the request is missing a parameter, contains an invalid parameter, includes a parameter more than once, or is otherwise invalid.

The library throws a InvalidRequestError in the two first cases, but when I provide a request body with a duplicated parameter, which translates into a parameter with an array value, it doesn't throw any exception, and as far I understand it should.