Add public clients option to ROPC. Closes #21.

[domenic]

See also #20.

@ebymatthew, please review and let me know if this works for you. I don't call validateClient this way, which seems better, and I avoid having a boolean flag that affects the hook behavior.

The readme and the integration test/example server are probably the most relevant things to review.

If this meets your use case I'll push out a 4.1.0 with it shortly.

[ebymatthew]

@domenic this is great! This meets my use case... I only intend to use public clients. The readme does a good job of explaining how to configure for public clients.

Looking through the test cases, I see that when configured for public clients it will return a token for requests that include an authentication header without validating the client credentials. That seems to violate some requirements in the ROPC section (http://tools.ietf.org/html/rfc6749#section-4.3.2) says:

The authorization server MUST:
o require client authentication for confidential clients or for any
client that was issued client credentials (or with other
authentication requirements),
o authenticate the client if client authentication is included, and ...

This doesn't affect my use case, so I'll let you decide what you think.