client validation pass the invalid client_secret

[FantomJAC]

AccessTokenServerResource#validate should return null when its validation has failed, However, invalid client_secret passes through this method.

The current code from 2.2-SNAPSHOT is
...
if ((clientSecret == null) || !clientSecret.equals(client.getClientSecret())) {
sendError(OAuthError.invalid_grant, "Client secret did not match", null);
setStatus(Status.CLIENT_ERROR_UNAUTHORIZED);
getLogger().warning(
"Could not find or match client secret " + clientSecret
+ " : " + client.getClientSecret());
}
...

Actually, #sendError and #setStatus are insignificant here. We also must return null to indicate validation goes wrong.
Thus, the codes should be
...
if ((clientSecret == null) || !clientSecret.equals(client.getClientSecret())) {
getLogger().warning(
"Could not find or match client secret " + clientSecret
+ " : " + client.getClientSecret());
return null;
}
...

[msvens]

You are absolutely right. Until the new extension is merged I will update this