I’ve created a web API that I’d like people to gain access to by using the password grant. I have a machine-to-machine application and a couple users set up in my dashboard. Everything works fine. I can get a JWT token using a client like Insomnia or Postman.
The only issue I have is that the request requires the client secret for my application. This means that my users won’t be able to request tokens because I can’t (shouldn’t) share the secret.
Looking on the OAuth 2.0 site, it states that the client secret is required if one was issued.
Is there a way to not require the secret be provided? Alternatively, is there a way to create an application that isn’t issued a secret (i.e. client credentials grant would never work)?