boydcl
boydcl
Don't agree they should be removed. The header is clear on the purpose of those strings. It's for testing if you app recognizes it as an rtl string.
The Password grant referred to in the docs does require to pass the `client_secret`. See http://oauth2.thephpleague.com/authorization-server/resource-owner-password-credentials-grant/
The password grant in this implementation indeed requires the `client_secret` to be passed. https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/PasswordGrant.php#L51
By reading the contents of `validateClient` it certainly seems like it's unconditionally enforced. https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/AbstractGrant.php#L172
@simonhamp Thanks for your clarification. In that case I would suggest the doc needs an update. It now states > If the client is a web application that has runs...