From 0778edeb4545a05ad664c8f8f1cf35e11400e033 Mon Sep 17 00:00:00 2001
From: Mathias Gebbe <mgebbe@hellmann.com>
Date: Wed, 25 Feb 2026 13:20:18 +0100
Subject: [PATCH] fix(oauth2): restore client_credentials in default grant
 types list

The gating happens via allSupportedGrants in server.go, not via the
allowed list. Without client_credentials in the defaults, the
intersection filter always excluded it even with the flag enabled.
This matches how the password grant works: present in defaults but
only activated when the corresponding config flag is set.

Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
---
 cmd/dex/serve.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cmd/dex/serve.go b/cmd/dex/serve.go
index 74141158..1d3389e8 100644
--- a/cmd/dex/serve.go
+++ b/cmd/dex/serve.go
@@ -614,6 +614,7 @@ func applyConfigOverrides(options serveOptions, config *Config) {
 	if len(config.OAuth2.GrantTypes) == 0 {
 		config.OAuth2.GrantTypes = []string{
 			"authorization_code",
+			"client_credentials",
 			"implicit",
 			"password",
 			"refresh_token",