should password grant type require client_secret?

[babsonmatt]

One would think that would be optional since user/password are being used to auth and the fact that the secret would be exposed? New to oauth, apologies if I'm mistaken!

[thomseddon]

Just following the spec, from: https://tools.ietf.org/html/rfc6749#section-4.3.2

If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in Section 3.2.1.