OAuth 2 client_secret should be optional #528
Description
After #294, client_secret was made to be required.
According to the OAuth 2.0 spec (https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1), it is optional:
The client MAY omit the parameter if the client secret is an empty string.
You can see this with OAuth 2.0 providers points out it's optional, e.g. Microsoft.
We even show it as optional in the configuration documentation but this is not what our behavior actually is.
While it is best practice to include it in production environments, we should let users decide. Alternatively, let's be consistent and clear in our documentation if we diverge from expectations.