validateCredentials
open override fun validateCredentials(request: Request, clientId: ClientId, clientSecret: String): Boolean
We are non-strict here - we only check the secret if there was one generated. This will differ from real cognito (which would reject if an attempt was made to auth with a client with no secret)