The current implementation of OAuth2 authentication provider requires specifying "client secret". However, the client secret can be an empty string and can even be omitted in the request if it is empty. As per RFC6749, section "2.3.1. Client Password":
REQUIRED. The client secret. The client MAY omit the
parameter if the client secret is an empty string.
Thus, OAuth2 authentication provider should not mandate setting of client secret.