It is part of the specification, see RFC 6749:

2.3 Client Authentication

If the client type is confidential, the client and authorization server establish a client authentication method suitable for the security requirements of the authorization server. The authorization server MAY accept any form of client authentication meeting its security requirements.

Confidential clients are typically issued (or establish) a set of client credentials used for authenticating with the authorization server (e.g., password, public/private key pair).

The authorization server MAY establish a client authentication method with public clients. However, the authorization server MUST NOT rely on public client authentication for the purpose of identifying the client.

The client MUST NOT use more than one authentication method in each request.

By default Spring Security OAuth 2.0 protects the token endpoint, see OAuth 2 Developers Guide:

The token endpoint is protected for you by default by Spring OAuth in the @Configuration support using HTTP Basic authentication of the client secret.

But it seems, that you can disable the client authentication:

• Spring Security OAuth 2.0 - client secret always required for authorization code grant
• Is it possible to get an access_token from Spring OAuth2 server without client secret?
• Spring Security OAuth 2.0 with no client_secret

That is the structure of the JWT token:

HMACSHA256(
      base64UrlEncode(header) + "." +
      base64UrlEncode(payload),
    secret

    )


As you are doing a JWT implementation all the 3 parts must be there: header.payload.secret

Maybe in the implementation you have seen - the server was working with Default Secret