From 2f3c5a5314bcd1c42917e22203233a16df8a1c82 Mon Sep 17 00:00:00 2001
From: Mathias Gebbe <mathias.gebbe@gmail.com>
Date: Wed, 25 Feb 2026 22:46:17 +0100
Subject: [PATCH] refactor(oauth2): remove dead feature flag check from
 server.go

The feature flag check in the else branch of server.go is dead code
since serve.go always sets a default AllowedGrantTypes list. Move the
gate entirely to cmd/dex/serve.go and remove the unused featureflags
import. Restore server_test.go to match server.go behavior directly.

Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
---
 server/server.go      |  4 ----
 server/server_test.go | 48 ++++++++++++++++---------------------------
 2 files changed, 18 insertions(+), 34 deletions(-)

diff --git a/server/server.go b/server/server.go
index 751e2e4a..8bee65fc 100644
--- a/server/server.go
+++ b/server/server.go
@@ -44,7 +44,6 @@ import (
 	"github.com/dexidp/dex/connector/oidc"
 	"github.com/dexidp/dex/connector/openshift"
 	"github.com/dexidp/dex/connector/saml"
-	"github.com/dexidp/dex/pkg/featureflags"
 	"github.com/dexidp/dex/server/signer"
 	"github.com/dexidp/dex/storage"
 	"github.com/dexidp/dex/web"
@@ -266,9 +265,6 @@ func newServer(ctx context.Context, c Config) (*Server, error) {
 		}
 	} else {
 		for grant := range allSupportedGrants {
-			if grant == grantTypeClientCredentials && !featureflags.ClientCredentialGrantEnabledByDefault.Enabled() {
-				continue
-			}
 			supportedGrants = append(supportedGrants, grant)
 		}
 	}
diff --git a/server/server_test.go b/server/server_test.go
index 43c756d3..c6f8cc0b 100644
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -1773,11 +1773,9 @@ func TestServerSupportedGrants(t *testing.T) {
 		resGrants []string
 	}{
 		{
-			name: "Simple",
-			config: func(c *Config) {
-				c.AllowedGrantTypes = nil
-			},
-			resGrants: []string{grantTypeAuthorizationCode, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
+			name:      "Simple",
+			config:    func(c *Config) {},
+			resGrants: []string{grantTypeAuthorizationCode, grantTypeClientCredentials, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
 		},
 		{
 			name:      "Minimal",
@@ -1787,46 +1785,36 @@ func TestServerSupportedGrants(t *testing.T) {
 		{
 			name: "With password connector",
 			config: func(c *Config) {
-				c.AllowedGrantTypes = nil
 				c.PasswordConnector = "local"
 			},
-			resGrants: []string{grantTypeAuthorizationCode, grantTypePassword, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
+			resGrants: []string{grantTypeAuthorizationCode, grantTypeClientCredentials, grantTypePassword, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
 		},
 		{
-			name: "With token response",
+			name: "Without client credentials",
 			config: func(c *Config) {
-				c.AllowedGrantTypes = nil
-				c.SupportedResponseTypes = append(c.SupportedResponseTypes, responseTypeToken)
+				c.AllowedGrantTypes = []string{
+					grantTypeAuthorizationCode,
+					grantTypeRefreshToken,
+					grantTypeDeviceCode,
+					grantTypeTokenExchange,
+				}
 			},
-			resGrants: []string{grantTypeAuthorizationCode, grantTypeImplicit, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
+			resGrants: []string{grantTypeAuthorizationCode, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
 		},
 		{
-			name: "All without feature flag",
+			name: "With token response",
 			config: func(c *Config) {
-				c.AllowedGrantTypes = nil
-				c.PasswordConnector = "local"
 				c.SupportedResponseTypes = append(c.SupportedResponseTypes, responseTypeToken)
 			},
-			resGrants: []string{grantTypeAuthorizationCode, grantTypeImplicit, grantTypePassword, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
-		},
-		{
-			name: "With client credentials feature flag",
-			config: func(c *Config) {
-				c.AllowedGrantTypes = nil
-				t.Setenv("DEX_CLIENT_CREDENTIAL_GRANT_ENABLED_BY_DEFAULT", "true")
-			},
-			resGrants: []string{grantTypeAuthorizationCode, grantTypeClientCredentials, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
+			resGrants: []string{grantTypeAuthorizationCode, grantTypeClientCredentials, grantTypeImplicit, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
 		},
 		{
-			name: "Explicit client credentials in AllowedGrantTypes",
+			name: "All",
 			config: func(c *Config) {
-				c.AllowedGrantTypes = []string{
-					grantTypeAuthorizationCode,
-					grantTypeClientCredentials,
-					grantTypeRefreshToken,
-				}
+				c.PasswordConnector = "local"
+				c.SupportedResponseTypes = append(c.SupportedResponseTypes, responseTypeToken)
 			},
-			resGrants: []string{grantTypeAuthorizationCode, grantTypeClientCredentials, grantTypeRefreshToken},
+			resGrants: []string{grantTypeAuthorizationCode, grantTypeClientCredentials, grantTypeImplicit, grantTypePassword, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
 		},
 	}