comment about internal and external client auth

server/src/main/java/org/cloudfoundry/identity/uaa/authentication/ClientDetailsAuthenticationProvider.java

@@ -77,7 +77,7 @@ protected void additionalAuthenticationChecks(UserDetails userDetails, UsernameP
                         break;
                     }
                 } else if (ObjectUtils.isEmpty(authentication.getCredentials())) {
-                    // set none as client_auth_method for all usage of empty secrets, e.g. cf client
+                    // set internally empty as client_auth_method e.g. cf client
                     setAuthenticationMethod(authentication, CLIENT_AUTH_EMPTY);
                 }
                 if (uaaClient.getPassword() == null) {

server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java

@@ -491,6 +491,7 @@ private CompositeToken createCompositeToken(String tokenId,
 
     private static Map<String, Object> addRootClaimEntry(Map<String, Object> additionalRootClaims, String entry, String value) {
         Map<String, Object> claims = additionalRootClaims != null ? additionalRootClaims : new HashMap<>();
+        // set externally none as client_auth_method if internally empty
         claims.put(entry, CLIENT_AUTH_EMPTY.equals(value) ? CLIENT_AUTH_NONE : value);
         return claims;
     }