Kong: [Bug] OAuth2 Plugin Validation Client Credential Flow

Summary

Kong does not always do proper validation on client credential flow for OAuth2.0 in specific scenario, specifically the empty creds passed:

POST https://gateway-dev.company.com/auth/oauth2/token HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Host: gateway-dev.company.com
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

grant_type=client_credentials&client_id=&client_secret=

Response:

HTTP/1.1 500 Internal Server Error
Date: Mon, 17 Jun 2019 20:50:52 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 42

{"message":"An unexpected error occurred"}

Expected Response(Or some variety of HTTP 400 bad request with a body):

HTTP/1.1 400 Bad Request
Date: Mon, 17 Jun 2019 20:50:52 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 42

{"error_description":"Invalid client authentication","error":"invalid_client"}

Throws this in Kong logs too on error:

2019/06/17 20:50:52 [error] 37#0: *67100 [kong] access.lua:49 [oauth2] failed to get from node cache: [cassandra] length must be at least 1, client: 10.xx.xx.xxx, server: kong, request: "POST /auth/oauth2/token HTTP/1.1", host: "gateway-dev.company.com"

Additional Details & Logs

• Kong version 1.2 (Not specific to this version, this bug has been around awhile I think)