OAuth should not require secret for public clients

[hickford]

According to OAuth spec https://datatracker.ietf.org/doc/html/rfc8252#section-8.5

it is NOT RECOMMENDED for authorization servers to require client authentication of public native apps clients using a shared secret

but Gitea requires client secret in both authorization code flow and refresh flow regardless of client type

gitea/routers/web/auth/oauth.go

Line 756 in 7a58733

if !app.ValidateClientSecret([]byte(form.ClientSecret)) {

gitea/routers/web/auth/oauth.go

Line 698 in 7a58733

if !app.ValidateClientSecret([]byte(form.ClientSecret)) {

Fix would be to validate secret if and only if app.ConfidentialClient

[denyskon]

See #25033