diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
index 516db258dfa..8e0cd9c84da 100644
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -167,6 +167,16 @@ Doorkeeper.configure do
 
   grant_flows %w(authorization_code client_credentials)
 
+  # If the client is not a confidential client, it should not be able to use the
+  # client_credentials grant flow, since it cannot keep a secret.
+  allow_grant_flow_for_client do |grant_flow, client|
+    if grant_flow == Doorkeeper::OAuth::CLIENT_CREDENTIALS
+      client.confidential?
+    else
+      true
+    end
+  end
+
   # Under some circumstances you might want to have applications auto-approved,
   # so that the user skips the authorization step.
   # For example if dealing with a trusted application.