No authentication sent with OAuth2 device authorization request

[papegaaij]

When a client is configured with a client secret, i.e. it's a confidential client, this secret is not sent with the device authorization request (the very first request where you retrieve the DeviceAuthResponse). RFC-8628 states that:

The client authentication requirements of Section 3.2.1 of [RFC6749] apply to requests on this endpoint, which means that confidential clients (those that have established client credentials) authenticate in the same manner as when making requests to the token endpoint, and public clients provide the "client_id" parameter to identify themselves.

In the DeviceAuth (deviceauth.go:82) method, the client_id is always added as a query parameter and the secret is not used. This method should use the same construction as used in newTokenRequest in token.go:183.

[testinfected]

Stumbled on the very same issue today and it took use hours to trace the pb to the client_secret not included in the request. I had to use an AuthOption, i.e. oauth2.SetAuthURLParam("client_secret", secret) to force its inclusion.

Can somebody enlighten me as to why it's not included?

Thanks in advance