From 250eb27c7b6a83375463d6e7f9c00897d56c875a Mon Sep 17 00:00:00 2001
From: Arran Ubels <a.ubels@base2services.com>
Date: Tue, 7 Jul 2020 09:13:31 +1000
Subject: [PATCH 1/2] Not actually required as part of the RFC but if they do
 provide check secret

---
 manage/manager.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manage/manager.go b/manage/manager.go
index 514bc23..5d6511d 100755
--- a/manage/manager.go
+++ b/manage/manager.go
@@ -261,7 +261,7 @@ func (m *Manager) GenerateAccessToken(ctx context.Context, gt oauth2.GrantType,
 		if !cliPass.VerifyPassword(tgr.ClientSecret) {
 			return nil, errors.ErrInvalidClient
 		}
-	} else if tgr.ClientSecret != cli.GetSecret() {
+	} else if len(tgr.ClientSecret) > 0 && tgr.ClientSecret != cli.GetSecret() {
 		return nil, errors.ErrInvalidClient
 	}
 	if tgr.RedirectURI != "" {

From 06c3b606d374ac726bc663de4e62691aa29b1b25 Mon Sep 17 00:00:00 2001
From: Arran Ubels <a.ubels@base2services.com>
Date: Tue, 7 Jul 2020 09:14:11 +1000
Subject: [PATCH 2/2] Not all cases require client_secret

It's likely that there might have be 2 of these functions or a switch involved
---
 server/handler.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/handler.go b/server/handler.go
index 67d9c9f..e0d5d32 100755
--- a/server/handler.go
+++ b/server/handler.go
@@ -46,10 +46,10 @@ type (
 // ClientFormHandler get client data from form
 func ClientFormHandler(r *http.Request) (string, string, error) {
 	clientID := r.Form.Get("client_id")
-	clientSecret := r.Form.Get("client_secret")
-	if clientID == "" || clientSecret == "" {
+	if clientID == "" {
 		return "", "", errors.ErrInvalidClient
 	}
+	clientSecret := r.Form.Get("client_secret")
 	return clientID, clientSecret, nil
 }