hillct
commented
10 years ago I was just now looking at the oauth2-provider implementation of the password flow and it seems like the client is meant to be authenticated, prior or during the password auth flow as described here:
http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-4.3
Checking notes actually explain the calling convention which seems consistent with the oauth2 draft. https://github.com/ammmir/node-oauth2-provider/commit/074f9a8bc9e42e0a4f667e87ba6eca52ee03b1e2 It would be useful to add the calling URL example to the docs though.
it should be optional so you can have things like command-line tools that are user-accessible but wont expose a secret