client_secret in OAuth2Validator fails authentication when it contains '+' character

[chadj2]

Describe the bug
Attempting to authenticate with a client secret using OAuth2Validator fails when the secret contains a '+' character.

To Reproduce
See above.

Expected behavior
See above.

Version
latest

• I have tested with the latest published release and it's still a problem.
• I have tested with the master branch and it's still a problem.

Additional context
This problem is happening because of the use of unquote_plus() to decode the key:

django-oauth-toolkit/oauth2_provider/oauth2_validators.py

Line 160 in e62c5f5

client_id, client_secret = map(unquote_plus, auth_string_decoded.split(":", 1))

The '+' character is replaced with space thus changing the contents of the key. This unquoting should not be necessary since the key was already encoded with base64. Libraries like FastMCP do not encode the '+' character so it is either them or this library that needs to change.

Changing the line to this solves the problem

client_id, client_secret = auth_string_decoded.split(":", 1)