I am trying to implement Oauth2 for a website using Python oauthlib. I have decided that I would like to use the grant type 'ResourceOwnerPasswordCredentialsGrant', this is because the website and the API are my own and will not be open to third parties.
In 'resource_owner_password_credentials.py' why is 'client_authentication_required' hardcoded to return 'True'?
Do I need to authenticate my client (website)? From my understanding this would be a 'public' and not a confidential client.
Looks like the author of oauthlib interpreted the spec this way. The section on the Resource Owner Password Credentials grant type (https://www.rfc-editor.org/rfc/rfc6749#section-4.3) says:
(B) The client requests an access token from the authorization server's token endpoint by including the credentials received from the resource owner. When making the request, the client authenticates with the authorization server.
Note that it suggests that the client authenticates but it does not use the MUST keyword in that last sentence. Just below that there's slightly more elaborate text (https://www.rfc-editor.org/rfc/rfc6749#section-4.3.2) saying:
If the client type is confidential or the client was issued client
credentials (or assigned other authentication requirements), the
client MUST authenticate with the authorization server as described
in Section 3.2.1.
Note the "If the client is confidential", this time implying that public clients may use this grant type too, which makes sense.
So I believe this is due to a too strict interpretation of the wording in the specs.
