Location: core/src/domain/authentication/services.rs:343-351

Problem: The password grant validation logic only validates client secrets when direct_access_grants_enabled = false. For clients with direct_access_grants_enabled = true, client secret validation is completely skipped, even for confidential clients.

if !client.direct_access_grants_enabled {  // ❌ Only validates when disabled!
    if params.client_secret.is_none() {
        return Err(CoreError::InvalidClientSecret);
    }

    if client.secret != params.client_secret {
        return Err(CoreError::InvalidClientSecret);
    }
}

Impact:

• For confidential clients with direct_access_grants_enabled = true (like test-client or master-realm), if a client secret is provided in a password grant, it is not validated
• This is incorrect behavior: confidential clients should always validate client secrets if provided
• The logic should check public_client status, not just direct_access_grants_enabled
• Note: This issue only affects password grant. The client_credentials grant properly validates the secret but the error is still masked by Issue 1.

Expected Logic:

• Public clients (public_client = true): Client secret should be ignored
• Confidential clients (public_client = false):
  • If direct_access_grants_enabled = false: Client secret is required and must match
  • If direct_access_grants_enabled = true: Client secret is optional but must match if provided