From f3e85d8f512f7acbf1b5568ce9a8eee7aa807940 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Fri, 12 May 2023 11:48:25 +0300
Subject: [PATCH] lib-oauth2: Do not send empty client_id or client_secret

---
 src/lib-oauth2/oauth2-request.c | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/src/lib-oauth2/oauth2-request.c b/src/lib-oauth2/oauth2-request.c
index 1f97295373..96def56fc8 100644
--- a/src/lib-oauth2/oauth2-request.c
+++ b/src/lib-oauth2/oauth2-request.c
@@ -286,10 +286,14 @@ oauth2_introspection_start(const struct oauth2_settings *set,
 		enc = t_str_new(64);
 		str_append(enc, set->introspection_url);
 		http_url_escape_param(enc, input->token);
-		str_append(enc, "&client_id=");
-		http_url_escape_param(enc, set->client_id);
-		str_append(enc, "&client_secret=");
-		http_url_escape_param(enc, set->client_secret);
+		if (*set->client_id != '\0') {
+			str_append(enc, "&client_id=");
+			http_url_escape_param(enc, set->client_id);
+		}
+		if (*set->client_secret != '\0') {
+			str_append(enc, "&client_secret=");
+			http_url_escape_param(enc, set->client_secret);
+		}
 		url = str_c(enc);
 		method = "GET";
 		break;
@@ -345,10 +349,14 @@ oauth2_passwd_grant_start(const struct oauth2_settings *set,
 	http_url_escape_param(payload, username);
 	str_append(payload, "&password=");
 	http_url_escape_param(payload, password);
-	str_append(payload, "&client_id=");
-	http_url_escape_param(payload, set->client_id);
-	str_append(payload, "&client_secret=");
-	http_url_escape_param(payload, set->client_secret);
+	if (*set->client_id != '\0') {
+		str_append(payload, "&client_id=");
+		http_url_escape_param(payload, set->client_id);
+	}
+	if (*set->client_secret != '\0') {
+		str_append(payload, "&client_secret=");
+		http_url_escape_param(payload, set->client_secret);
+	}
 	if (set->scope[0] != '\0') {
 		str_append(payload, "&scope=");
 		http_url_escape_param(payload, set->scope);
-- 
2.47.3