mod_http_oauth2: Don't issue client_secret when not using authentication This is pretty much only for implicit flow, which is considered insecure anyway, so this is of limited value. If we delete all the implicit flow code, this could be reverted.

This module helps make BOSH and WebSocket connection endpoints
discoverable via the HTTP method described in
[XEP-0156](https://xmpp.org/extensions/xep-0156.html#http).