Make clientID optional
tibr opened this issue · comments
Tim commented
As mentioned by @Gi-lo the client_id
field is not mandatory when requesting the access token. Because of that we should make it optional.
https://tools.ietf.org/html/rfc6749#section-4.3.2:
If the client type is confidential or the client was issued client
credentials (or assigned other authentication requirements), the
client MUST authenticate with the authorization server as described
in Section 3.2.1.
https://tools.ietf.org/html/rfc6749#section-3.2.1:
A client MAY use the "client_id" request parameter to identify itself
when sending requests to the token endpoint.