Spring Security OAuth 2.0 - client secret always required for authorization code grant

Question

According to the spec, requests for a token using the authorization code grant are not required to be authenticated as long as the client_id is included in the

Answer 1

Initially I had a similar setup to the accepted answer, which is definitely a prerequisite to make this work. But what is missing is that you cannot simply set the password to null. You must set it to an empty password, for example like this:

String secret = PasswordEncoderFactories.createDelegatingPasswordEncoder().encode("");
clientDetails.setClientSecret(secret);

If you don't do this, you will still get a 401!