Grant type password should not require client_secret

[ninjudd]

It seems to me that client_secret should not be required with grant_type=password, right?

As explained here (http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#others):

Note, the client secret is not included here under the assumption that most of the use cases for password grants will be mobile or desktop apps, where the secret cannot be protected.

I'm happy to jump in and figure out how to modify clauth to not require the client_secret in this case if this sounds correct to you @pelle.

[pelle]

Hi, The standard differs from Aaron's suggested simplifcations. http://tools.ietf.org/html/rfc6749#section-4.3.2

"If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in Section 3.2.1."

The use of the word "if" in the above makes it ambiguous. I prefer erring on the stricter approach, but if we can find a way of making it optional I'd be willing to accept it in. Maybe either a global configuration option or a per app option.

[hookercookerman]

@pelle is this going to land soonish? been open pull request for quite some time; just want to know to fork or not to fork cheers