fix(oidc): nil check for client secret (#7115)

This fixes a nil pointer panic when client basic auth is attempted on a client without secret in introspection.

internal/api/oidc/introspect.go

@@ -72,7 +72,7 @@ func (s *Server) Introspect(ctx context.Context, r *op.Request[op.IntrospectionR
 		return nil, err
 	}
 
-	// remaining errors shoudn't be returned to the client,
+	// remaining errors shouldn't be returned to the client,
 	// so we catch errors here, log them and return the response
 	// with active: false
 	defer func() {
@@ -122,6 +122,8 @@ type introspectionClientResult struct {
 	err       error
 }
 
+var errNoClientSecret = errors.New("client has no configured secret")
+
 func (s *Server) introspectionClientAuth(ctx context.Context, cc *op.ClientCredentials, rc chan<- *introspectionClientResult) {
 	ctx, span := tracing.NewSpan(ctx)
 
@@ -136,13 +138,16 @@ func (s *Server) introspectionClientAuth(ctx context.Context, cc *op.ClientCrede
 			if _, err := op.VerifyJWTAssertion(ctx, cc.ClientAssertion, verifier); err != nil {
 				return "", "", oidc.ErrUnauthorizedClient().WithParent(err)
 			}
-		} else {
+			return client.ClientID, client.ProjectID, nil
+
+		}
+		if client.ClientSecret != nil {
 			if err := crypto.CompareHash(client.ClientSecret, []byte(cc.ClientSecret), s.hashAlg); err != nil {
 				return "", "", oidc.ErrUnauthorizedClient().WithParent(err)
 			}
+			return client.ClientID, client.ProjectID, nil
 		}
-
-		return client.ClientID, client.ProjectID, nil
+		return "", "", oidc.ErrUnauthorizedClient().WithParent(errNoClientSecret)
 	}()
 
 	span.EndWithError(err)