* added support for empty strings of `client_secret`

* added LegacyApplicationClient tests to ensure the grant supports a variety of allowed methods

2 files changed, 12 insertions, 0 deletions

diff --git a/oauthlib/oauth2/rfc6749/clients/web_application.py b/oauthlib/oauth2/rfc6749/clients/web_application.py
index ec59b31..b4b109e 100644
--- a/oauthlib/oauth2/rfc6749/clients/web_application.py
+++ b/oauthlib/oauth2/rfc6749/clients/web_application.py
@@ -128,6 +128,14 @@ class WebApplicationClient(Client):
             >>> client.prepare_request_body(code='sh35ksdf09sf', foo='bar')
             'grant_type=authorization_code&code=sh35ksdf09sf&foo=bar'
 
+        `Section 3.2.1` also states:
+            In the "authorization_code" "grant_type" request to the token
+            endpoint, an unauthenticated client MUST send its "client_id" to
+            prevent itself from inadvertently accepting a code intended for a
+            client with a different "client_id".  This protects the client from
+            substitution of the authentication code.  (It provides no additional
+            security for the protected resource.)
+
         .. _`Section 4.1.1`: https://tools.ietf.org/html/rfc6749#section-4.1.1
         .. _`Section 3.2.1`: https://tools.ietf.org/html/rfc6749#section-3.2.1
         """
diff --git a/oauthlib/oauth2/rfc6749/parameters.py b/oauthlib/oauth2/rfc6749/parameters.py
index 1229f31..0a36e53 100644
--- a/oauthlib/oauth2/rfc6749/parameters.py
+++ b/oauthlib/oauth2/rfc6749/parameters.py
@@ -124,6 +124,10 @@ def prepare_token_request(grant_type, body='', **kwargs):
         if kwargs[k]:
             params.append((unicode_type(k), kwargs[k]))
 
+    if ('client_secret' in kwargs) and ('client_secret' not in params):
+        if kwargs['client_secret'] == '':
+            params.append((unicode_type('client_secret'), kwargs['client_secret']))
+
     return add_params_to_qs(body, params)