From 83f6c7e003bd47356c7f119f9ceb0149c748a410 Mon Sep 17 00:00:00 2001
From: huaxia-zhao <huaxia.zhao@gmail.com>
Date: Wed, 25 May 2016 20:09:41 -0700
Subject: [PATCH] Omit client_secret parameter when it is empty

According to :

https://tools.ietf.org/html/rfc6749#section-2.3.1

     client_secret
           REQUIRED.  The client secret.  The client MAY omit the
           parameter if the client secret is an empty string.

In some cases, like using JWT or other assertion approach as secret, this parameter in request should be removed.
---
 lib/oauth2.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/oauth2.js b/lib/oauth2.js
index 94ed662c..4810bc27 100644
--- a/lib/oauth2.js
+++ b/lib/oauth2.js
@@ -163,7 +163,8 @@ exports.OAuth2.prototype.getAuthorizeUrl= function( params ) {
 exports.OAuth2.prototype.getOAuthAccessToken= function(code, params, callback) {
   var params= params || {};
   params['client_id'] = this._clientId;
-  params['client_secret'] = this._clientSecret;
+  if ( this._clientSecret )
+    params['client_secret'] = this._clientSecret;
   var codeParam = (params.grant_type === 'refresh_token') ? 'refresh_token' : 'code';
   params[codeParam]= code;