Not actually required as part of the RFC but if they do provide check secret

Arran Ubels · web-flow · commit 250eb27c7b6a · 2020-07-07T09:13:31.000+10:00
diff --git a/manage/manager.go b/manage/manager.go
@@ -261,7 +261,7 @@ func (m *Manager) GenerateAccessToken(ctx context.Context, gt oauth2.GrantType,
 		if !cliPass.VerifyPassword(tgr.ClientSecret) {
 			return nil, errors.ErrInvalidClient
 		}
-	} else if tgr.ClientSecret != cli.GetSecret() {
+	} else if len(tgr.ClientSecret) > 0 && tgr.ClientSecret != cli.GetSecret() {
 		return nil, errors.ErrInvalidClient
 	}
 	if tgr.RedirectURI != "" {

Original file line number	Diff line number	Diff line change
`@@ -261,7 +261,7 @@ func (m *Manager) GenerateAccessToken(ctx context.Context, gt oauth2.GrantType,`
`261`	`261`	`if !cliPass.VerifyPassword(tgr.ClientSecret) {`
`262`	`262`	`return nil, errors.ErrInvalidClient`
`263`	`263`	`}`
`264`		`- } else if tgr.ClientSecret != cli.GetSecret() {`
	`264`	`+ } else if len(tgr.ClientSecret) > 0 && tgr.ClientSecret != cli.GetSecret() {`
`265`	`265`	`return nil, errors.ErrInvalidClient`
`266`	`266`	`}`
`267`	`267`	`if tgr.RedirectURI != "" {`