Description
Reading the documentation (https://laravel.com/docs/5.6/passport#client-credentials-grant-tokens) makes it sound like a token issued for a client grant would be secure to use for internal machine-to-machine authentication.
However the CheckClientCredentials middleware does not validate that a token is actually a client credential. It will accept a token generated for anything--password grants included. This means that if these routes are reachable, anyone could call these internal endpoints doing who knows what.
The documentation is misleading and dangerous. It makes it sound like these tokens can be used to secure API calls from internal services, but implementing it as documented does nothing of the sort.
I thought maybe I could use scopes to limit the permissions on a per-client basis but that doesn't work either! Any client can request any scopes. Client credentials don't have an associated user, so I can't do user-based permissions either. Seems like client credentials aren't a fully baked concept.