@trwnh This is feedback from @rinsuki

Is it correct that client_secret is required in /oauth/authorize?
QT: https://mstdn.rinsuki.net/@rinsuki/103365509034087580

@noellabo @rinsuki yes. otherwise, anyone could claim to be your client with only client_id.

@noellabo @rinsuki ah, i misread -- it is indeed a mistake. client_secret is secret and should not be provided to the user during /oauth/authorize. it has been fixed. thank you for bringing it to my attention!

@noellabo @rinsuki to be clear, client_secret is only needed when obtaining a token with /oauth/token