authenticate_none fails if an empty client_secret parameter exists

**Describe the bug**

`authenticate_none` fails if an empty `client_secret` request parameter exists

**Error Stack**

```
authlib.oauth2.rfc6749.authenticate_client - DEBUG - Authenticate examplevia "none" failed
Bad Request: /token/
Error: invalid_client
```

**To Reproduce**

Register an `AuthorizationCodeGrant` with `TOKEN_ENDPOINT_AUTH_METHODS = ['none']`

```
POST /token/
grant_type: "authorization_code"
code: "super-secret-generated-code"
redirect_uri: "https://example.com/"
client_id: "example"
client_secret: ""
```

**Expected behavior**

I expect `authenticate_none` to ignore an empty `client_secret` parameter

According to [the specification](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2)

> Parameters sent without a value MUST be treated as if they were omitted from the request.

This would be fixed by using:

`if client_id and not request.data.get('client_secret'):`

instead of `if client_id and 'client_secret' not in request.data:`

**Environment:**

 - OS: Linux
 - Python Version: 3.8
 - Authlib Version: 1.0.0


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

authenticate_none fails if an empty client_secret parameter exists #438

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

authenticate_none fails if an empty client_secret parameter exists #438

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions