fix: add coverage for client_secret_post None client_id branch

Add test for edge case where client_id is None in client_secret_post
auth method. This ensures 100% branch coverage on oauth2.py
(previously missing the 210->212 branch).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: g97iulio1609

src/mcp/client/auth/oauth2.py

@@ -207,7 +207,7 @@ def prepare_token_auth(
             data = {k: v for k, v in data.items() if k != "client_secret"}
         elif auth_method == "client_secret_post" and self.client_info.client_secret:
             # Include client_id and client_secret in request body (RFC 6749 §2.3.1)
-            if self.client_info.client_id:
+            if self.client_info.client_id is not None:
                 data["client_id"] = self.client_info.client_id
             data["client_secret"] = self.client_info.client_secret
         # For auth_method == "none", don't add any client_secret

tests/client/auth/extensions/test_client_credentials.py

@@ -280,6 +280,43 @@ async def test_exchange_token_client_secret_post_includes_client_id(self, mock_s
         # Should NOT have Basic auth header
         assert "Authorization" not in request.headers
 
+    @pytest.mark.anyio
+    async def test_exchange_token_client_secret_post_without_client_id(self, mock_storage: MockTokenStorage):
+        """Test that client_secret_post omits client_id from body when it is None."""
+        provider = ClientCredentialsOAuthProvider(
+            server_url="https://api.example.com/v1/mcp",
+            storage=mock_storage,
+            client_id="placeholder",
+            client_secret="test-client-secret",
+            token_endpoint_auth_method="client_secret_post",
+            scopes="read write",
+        )
+        await provider._initialize()
+        provider.context.oauth_metadata = OAuthMetadata(
+            issuer=AnyHttpUrl("https://api.example.com"),
+            authorization_endpoint=AnyHttpUrl("https://api.example.com/authorize"),
+            token_endpoint=AnyHttpUrl("https://api.example.com/token"),
+        )
+        provider.context.protocol_version = "2025-06-18"
+        # Override client_info to have client_id=None (edge case)
+        provider.context.client_info = OAuthClientInformationFull(
+            redirect_uris=None,
+            client_id=None,
+            client_secret="test-client-secret",
+            grant_types=["client_credentials"],
+            token_endpoint_auth_method="client_secret_post",
+            scope="read write",
+        )
+
+        request = await provider._perform_authorization()
+
+        content = urllib.parse.unquote_plus(request.content.decode())
+        assert "grant_type=client_credentials" in content
+        assert "client_secret=test-client-secret" in content
+        # client_id should NOT be in body since it's None
+        assert "client_id=" not in content
+        assert "Authorization" not in request.headers
+
     @pytest.mark.anyio
     async def test_exchange_token_without_scopes(self, mock_storage: MockTokenStorage):
         """Test token exchange without scopes."""