Should non-confidential client applications be allowed to use the OAuth 2.0 Client Credentials flow?

Question

According to The OAuth 2.0 Authorization Framework, when obtaining authorization via the Client Credentials Grant flow, it says: "The client credentials grant type MUST only be used by confidential clients."

I have implemented an OAuth 2.0 provider API with doorkeeper (Ruby on Rails gem). However, a non-confidential client application, created by the OAuth 2.0 provider, is able to use the Client Credentials Grant flow with its client_id only ie without client_secret. Is this an expected behaviour?

I came across this as I was looking to protect my Resource Server API, such that even for public endpoints that do not require an end-user to be autorized ie when the Client is the Resource Owner, the client is still required to provide an Access Token.

In this use case, the Authorization Code Grant flow is not relevant since the Resource Owner is not an end-user and as per the latest OAuth 2.0 security recommendations, the Implicit Grant flows is not advised. On this basis, I found that the Client Credentials Grant flow to be the most relevant flow but I want to double check if it's appropriate to use even though the OAuth 2.0 framework says that it MUST only be used by confidential clients.

Answer 1

The client_credentials grant must only be used by confidential clients, because the client needs to store the secret. That is because the clients needs to send client_id and client_secret to the Authorization Server in order to get the Token. I don't know of any special way where the client_credentials flow can be used with only the client_id.

As far as I could see, the doorkeeper documentation also don't mention this.

But I wouldn't use client_credentials flow in a non confidential client, when the client needs to save the secret. And I would not use ANY Grant that only sends its client_id and nothing else to the /token endpoint to get a Token.