@aaronpk Ever encounter a 1st party JS apps using the password grant type? Not sure how one would validate the req/client (no client_secret)
1
Replying to @swishstache
@swishstache Yea you can't validate with secret, so you just have to use password grant with no secret in that case. tools.ietf.org/html/draft-ie…

Aug 9, 2012 · 3:11 AM UTC

1
Replying to @aaronpk
@aaronpk ugh. As I feared. I only want 1st-party apps doing this, so I'll create a token endpoint only for them that verifies the client_id