client_id missing from token request with broken provider & no client secret

[mmp]

When requesting a token from a broken provider (e.g. www.googleapis.com), if there is a client_id but not a client_secret, the client_id isn't included in the request generated by the oauth2 library, leading to a 400 response. This seems to have been introduced in 4464e78, and is contrary to the change description, so was presumably unintended.

The attached test program illustrates the bug, giving

Error: oauth2: cannot fetch token: 400 Bad Request
Response: {
  "error" : "invalid_request",
  "error_description" : "Could not determine client ID from request."
}

with top of tree.

The patch below fixes it for me, but I'm not an oauth expert, so don't know if this is the appropriate fix.

diff --git a/internal/token.go b/internal/token.go
index ba90a34..6477379 100644
--- a/internal/token.go
+++ b/internal/token.go
@@ -155,9 +155,11 @@ func RetrieveToken(ctx context.Context, clientID, clientSecret, tokenURL string,
 		return nil, err
 	}
 	bustedAuth := !providerAuthHeaderWorks(tokenURL)
-	if bustedAuth && clientSecret != "" {
+	if bustedAuth {
 		v.Set("client_id", clientID)
-		v.Set("client_secret", clientSecret)
+		if clientSecret != "" {
+			v.Set("client_secret", clientSecret)
+		}
 	}
 	req, err := http.NewRequest("POST", tokenURL, strings.NewReader(v.Encode()))
 	if err != nil {

Test case:
oauth.go.txt

[mmp]

Ping. Any chance of this being fixed?

[rakyll]

I am going to create a CL right now.