I'm using django-oauth-toolkit and I can't figure out why when I use client_credentials, I can literally insert any username/password combo and they always return a token even if the username/password combo is nowhere in the database.
This is my postman request body:
On the admin portal, I don't even see the user selected under "user":
How do I only allow valid username/password combos to return an access token and how do I attach a user to an access token?
You'll need to use 'resource owner password based' grant type, instead of 'client credentials'.